What's the client's version?
On Wed, 2024-11-27 at 14:21 -0600, Andor Molnar wrote:
> Would you please share the log files as well?
> I'm interested in the server logs something like
>
> LOG.info("Default TLS protocol is {}, supported TLS protocols are
> {}",
> defaultProtocol, supported);
>
>
>
>
> On Wed, 2024-11-27 at 14:19 -0600, Andor Molnar wrote:
> > I think this must related to this change:
> >
> > https://issues.apache.org/jira/browse/ZOOKEEPER-4415
> >
> > ---------------------------------------------------
> > * *ssl.protocol* and *ssl.quorum.protocol* :
> > (Java system properties: **zookeeper.ssl.protocol** and
> > **zookeeper.ssl.quorum.protocol**)
> > **New in 3.5.5:**
> > Specifies to protocol to be used in client and quorum TLS
> > negotiation.
> > Default: TLSv1.3 or TLSv1.2 depending on Java runtime version
> > being
> > used.
> >
> > * *ssl.enabledProtocols* and *ssl.quorum.enabledProtocols* :
> > (Java system properties: **zookeeper.ssl.enabledProtocols** and
> > **zookeeper.ssl.quorum.enabledProtocols**)
> > **New in 3.5.5:**
> > Specifies the enabled protocols in client and quorum TLS
> > negotiation.
> > Default: TLSv1.3, TLSv1.2 if value of `protocol` property is
> > TLSv1.3. TLSv1.2 if `protocol` is TLSv1.2.
> > ---------------------------------------------------
> >
> > I assume you didn't have any of these settings in your original
> > zoo.cfg
> > configuration, so with the upgrade the default value of
> > ssl.protocol
> > has been changed to TLSv1.3 (IBM JDK should support that), but in
> > which
> > case the server should accept both 1.2 and 1.3 clients.
> >
> > Let me dig deeper.
> >
> >
> >
> >
> > On Wed, 2024-11-27 at 14:08 -0600, Andor Molnar wrote:
> > > Hi Aayush,
> > >
> > > Thanks for the report. I'm sure I've seen this problem reported
> > > already, let me dig the archives.
> > >
> > > Basically you're saying that accepted TLS protocol has been
> > > changed
> > > from TLSv2 to TLSv3, is that correct?
> > >
> > > Best,
> > > Andor
> > >
> > >
> > >
> > >
> > > On Wed, 2024-11-27 at 17:14 +0000, Aayush Gupta wrote:
> > > >
> > > > Hii ,
> > > >
> > > > We upgraded from Zookeeper 3.9.1 to 3.9.2. TLS was configured
> > > > before
> > > > the upgrade. No TLS version specified as part of zoo.cfg. Post
> > > > upgrade, client to server connection is broken with TLS error
> > > > (The
> > > > client supported protocol versions [TLSv1.2, TLSv1.1, TLSv1]
> > > > are
> > > > not
> > > > accepted by server preferences [TLS13]). Looking at the logs,
> > > > client
> > > > is using TLS 1.2 and but it looks like server is forcing to use
> > > > TLS
> > > > 1.3. Its IBM JDK. Post this, made below changes to zoo.cfg and
> > > > client-server connection worked fine. ssl.protocol=TLSv1.2. Is
> > > > this
> > > > a new change in 3.9.2 which forces to use 1.3 by default?
> > > >
> > > > Also , we have raised a Jira.
> > > >
> > > > https://issues.apache.org/jira/browse/ZOOKEEPER-4888
> > > >
> > > > We would really appreciate if we could get a quick solution to
> > > > the
> > > > issue.
> > > >
> > > > Thanks,
> > > > Aayush
> > > >
> > > >
> > > >
> > > >
> > > > —
> > > > Aayush Gupta
> > > > Software Engineer II
> > > > Precisely.com
> > > >
> > > > p
> > > >
> > > > ATTENTION: -----
> > > > The information contained in this message (including any files
> > > > transmitted with this message) may contain proprietary, trade
> > > > secret
> > > > or other confidential and/or legally privileged information.
> > > > Any
> > > > pricing information contained in this message or in any files
> > > > transmitted with this message is always confidential and cannot
> > > > be
> > > > shared with any third parties without prior written approval
> > > > from
> > > > Precisely. This message is intended to be read only by the
> > > > individual
> > > > or entity to whom it is addressed or by their designee. If the
> > > > reader
> > > > of this message is not the intended recipient, you are on
> > > > notice
> > > > that
> > > > any use, disclosure, copying or distribution of this message,
> > > > in
> > > > any
> > > > form, is strictly prohibited. If you have received this message
> > > > in
> > > > error, please immediately notify the sender and/or
> > > > Precisely and
> > > > destroy all copies of this message in your possession, custody
> > > > or
> > > > control.
> > >
> >
>
