Hi,
It is strange! I tested the following code with OpenJDK 1.8.0+362,
11.0.21, 17.0.9 and 21.0.2 (installed through brew and sdkman). All
results are the same. The default protocol is "TLSv1.3", and the
enabled protocols is "[TLSv1.3, TLSv1.2]". I also intercepted code
path in "ClientSSLReloadTest.certificateReloadTest", and found that
"SSLContextAndOptions.enabledProtocols" get `["TLSv1.3", "TLSv1.2"].
+ @Test
+ public void testTlsProtocols() throws Exception {
+ System.out.println("default protocol: " + X509Util.DEFAULT_PROTOCOL);
+
+ SSLContext sslContext =
SSLContext.getInstance(X509Util.DEFAULT_PROTOCOL);
+ sslContext.init(null, null, null);
+ System.out.println("enabled protocols: " +
Arrays.asList(sslContext.getDefaultSSLParameters().getProtocols()));
+ }
Besides, the doc in zookeeperAdmin[1] states the same.
> Specifies the enabled protocols in client and quorum TLS negotiation.
> Default: TLSv1.3, TLSv1.2 if value of protocol property is TLSv1.3. TLSv1.2
> if protocol is TLSv1.2.
Best,
Kezhu Wang
[1]: https://zookeeper.apache.org/doc/r3.9.3/zookeeperAdmin.html
On Sat, May 17, 2025 at 12:13 AM Andor Molnar <an...@apache.org> wrote:
>
> Hi,
>
> We have the following logic to set enabledProtocols property for TLS
> connections:
>
> String enabledProtocolsInput =
> config.getProperty(x509Util.getSslEnabledProtocolsProperty());
> if (enabledProtocolsInput == null) {
> // Use JDK defaults for enabled protocols:
> // Protocol TLSv1.3 -> enabled protocols TLSv1.3 and TLSv1.2
> // Protocol TLSv1.2 -> enabled protocols TLSv1.2
> return sslContext.getDefaultSSLParameters().getProtocols();
> }
> …
>
> The comment is misleading: tested with JDK 11 and getProtocols() returns
> TLSv1.3 only while the default protocol is TLSv1.3. I had to explicitly
> enable TLSv1.2 in the config (ssl.enabledProtocols) to accept connections.
> Unfortunately we don’t log this setting.
>
> Regards,
> Andor
>
>
