Would you please share the log files as well?
I'm interested in the server logs something like
LOG.info("Default TLS protocol is {}, supported TLS protocols are {}",
defaultProtocol, supported);
On Wed, 2024-11-27 at 14:19 -0600, Andor Molnar wrote:
> I think this must related to this change:
>
> https://issues.apache.org/jira/browse/ZOOKEEPER-4415
>
> ---------------------------------------------------
> * *ssl.protocol* and *ssl.quorum.protocol* :
> (Java system properties: **zookeeper.ssl.protocol** and
> **zookeeper.ssl.quorum.protocol**)
> **New in 3.5.5:**
> Specifies to protocol to be used in client and quorum TLS
> negotiation.
> Default: TLSv1.3 or TLSv1.2 depending on Java runtime version
> being
> used.
>
> * *ssl.enabledProtocols* and *ssl.quorum.enabledProtocols* :
> (Java system properties: **zookeeper.ssl.enabledProtocols** and
> **zookeeper.ssl.quorum.enabledProtocols**)
> **New in 3.5.5:**
> Specifies the enabled protocols in client and quorum TLS
> negotiation.
> Default: TLSv1.3, TLSv1.2 if value of `protocol` property is
> TLSv1.3. TLSv1.2 if `protocol` is TLSv1.2.
> ---------------------------------------------------
>
> I assume you didn't have any of these settings in your original
> zoo.cfg
> configuration, so with the upgrade the default value of ssl.protocol
> has been changed to TLSv1.3 (IBM JDK should support that), but in
> which
> case the server should accept both 1.2 and 1.3 clients.
>
> Let me dig deeper.
>
>
>
>
> On Wed, 2024-11-27 at 14:08 -0600, Andor Molnar wrote:
> > Hi Aayush,
> >
> > Thanks for the report. I'm sure I've seen this problem reported
> > already, let me dig the archives.
> >
> > Basically you're saying that accepted TLS protocol has been changed
> > from TLSv2 to TLSv3, is that correct?
> >
> > Best,
> > Andor
> >
> >
> >
> >
> > On Wed, 2024-11-27 at 17:14 +0000, Aayush Gupta wrote:
> > >
> > > Hii ,
> > >
> > > We upgraded from Zookeeper 3.9.1 to 3.9.2. TLS was configured
> > > before
> > > the upgrade. No TLS version specified as part of zoo.cfg. Post
> > > upgrade, client to server connection is broken with TLS error
> > > (The
> > > client supported protocol versions [TLSv1.2, TLSv1.1, TLSv1] are
> > > not
> > > accepted by server preferences [TLS13]). Looking at the logs,
> > > client
> > > is using TLS 1.2 and but it looks like server is forcing to use
> > > TLS
> > > 1.3. Its IBM JDK. Post this, made below changes to zoo.cfg and
> > > client-server connection worked fine. ssl.protocol=TLSv1.2. Is
> > > this
> > > a new change in 3.9.2 which forces to use 1.3 by default?
> > >
> > > Also , we have raised a Jira.
> > >
> > > https://issues.apache.org/jira/browse/ZOOKEEPER-4888
> > >
> > > We would really appreciate if we could get a quick solution to
> > > the
> > > issue.
> > >
> > > Thanks,
> > > Aayush
> > >
> > >
> > >
> > >
> > > —
> > > Aayush Gupta
> > > Software Engineer II
> > > Precisely.com
> > >
> > > p
> > >
> > > ATTENTION: -----
> > > The information contained in this message (including any files
> > > transmitted with this message) may contain proprietary, trade
> > > secret
> > > or other confidential and/or legally privileged information. Any
> > > pricing information contained in this message or in any files
> > > transmitted with this message is always confidential and cannot
> > > be
> > > shared with any third parties without prior written approval from
> > > Precisely. This message is intended to be read only by the
> > > individual
> > > or entity to whom it is addressed or by their designee. If the
> > > reader
> > > of this message is not the intended recipient, you are on notice
> > > that
> > > any use, disclosure, copying or distribution of this message, in
> > > any
> > > form, is strictly prohibited. If you have received this message
> > > in
> > > error, please immediately notify the sender and/or Precisely and
> > > destroy all copies of this message in your possession, custody or
> > > control.
> >
>
