[
https://issues.apache.org/jira/browse/ZOOKEEPER-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17499955#comment-17499955
]
Anoop Negi commented on ZOOKEEPER-4415:
---------------------------------------
Hi [~tsaarni] ,
Zookeeper overrideing default ciphers if we set TLSv1.3 cipher only i.e.
ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
and then TLSv1.2 not working
Our concern is that we are not sure client verion so to support legacy client ,
can we concat both the ciphers(no duplicate entries),
or Java 11 default list can be used?
what could be best way to support legacy clients which using TLSv1.2 old cipher
and the new Clients using ciphers recommanded by IANA.
Would need your opinion on that.
Thanks in advance.
Regards,
Anoop
> Zookeeper 3.7.0 : The client supported protocol versions [TLSv1.3] are not
> accepted by server preferences
> ---------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4415
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4415
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.7.0
> Reporter: Santosh Kumar Sahu
> Priority: Blocker
>
> We are trying to add TLSv1.3 support in Zookeeper, currently by default
> TLSv1.2 is supported.
> Following are the configuration
> {code:java}
> ssl.protocol=TLSv1.3
> ssl.enabledProtocols=TLSv1.3,TLSv1.2
> serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
> sslQuorumReloadCertFiles=true
> quorumListenOnAllIPs=true
> secureClientPort=2281
> sslQuorum=false
> portUnification=true
> ssl.quorum.clientAuth=need
> ssl.quorum.hostnameVerification=true
> ssl.quorum.keyStore.location=/opt/zookeeper/cert/cert1.pem
> ssl.quorum.trustStore.location=/opt/zookeeper/cert/cacert.pem
> ssl.trustStore.location=/opt/zookeeper/cert/ca/clientcacert.pem
> ssl.keyStore.location=/opt/zookeeper/cert/cert1.pem
> ssl.clientAuth=need
> {code}
> by setting "{*}ssl.enabledProtocols=TLSv1.3,TLSv1.2{*}", only TLSv1.2
> communication is working but for TLSv1.3 following error coming
>
> {code:java}
> 2021-10-07T12:24:44.121+0000 [myid:] - ERROR
> [nioEventLoopGroup-4-2:NettyServerCnxnFactory$CertificateVerifier@434] -
> Unsuccessful handshake with session 0 x0
> 2021-10-07T12:24:44.123+0000 [myid:] - WARN
> [nioEventLoopGroup-4-2:NettyServerCnxnFactory$CnxnChannelHandler@273] -
> Exception caught
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException:
> The client supported protocol versions [TLSv1.3] are not accepted by server p
> references [TLS12]
> at
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471)
> ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
> ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
> [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
> [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
> [netty-transport-4.1.50.Final.jar:4.1.50. Final]
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final ]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
> [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
> [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at java.lang.Thread.run(Thread.java:829) [?:?]
> Caused by: javax.net.ssl.SSLHandshakeException: The client supported protocol
> versions [TLSv1.3] are not accepted by server preferences [TLS12]
> at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
> at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
> ~[?:?]
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
> ~[?:?]
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:283)
> ~[?:?]
> at
> sun.security.ssl.ClientHello$ClientHelloConsumer.negotiateProtocol(ClientHello.java:916)
> ~[?:?]
> at
> sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:832)
> ~[?:?]
> at
> sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813)
> ~[?:?]
> at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
> at
> sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
> ~[?:?]
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
> ~[?:?]
> at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
> ~[?:?]
> at
> io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
> ~[netty-codec-4.1.50.Final.jar:4.1.50. Final]
> at
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
> ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> ... 17 more
> {code}
> error"The client supported protocol versions [TLSv1.3] are not accepted by
> server preferences"
>
>
> Zookeeper using {*}netty 4.1.50 which support TLSv1.3{*}( netty 4.1.31
> onwards support TLSv1.3 ref:
> [https://netty.io/news/2018/10/30/4-1-31-Final.html])
> when trying to openssl with -tls1_3 to connect with zookeeper over TLS port
> it failed with following error coming
> {code:java}
> openssl s_client --connect zookeeper1:2281 --cert
> /run/secret/client/clicert.pem --key /run/secret/client/cliprivkey.pem
> --CAfile /run/secret/ca/cacert.pem -tls1_3
> CONNECTED(00000003)
> 140629337047680:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
> protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 318 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> {code}
>
> and if *ssl.enabledProtocols=TLSv1.3* (only TLSv1.3) then TLSv1.2 also not
> working and following error coming in logs
> {code:java}
> at
> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at java.lang.Thread.run(Thread.java:829) [?:?]
> Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol
> (protocol is disabled or cipher suites are inappropriate)
> at
> sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:170) ~[?:?]
> at
> sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
> ~[?:?]
> at
> sun.security.ssl.TransportContext.kickstart(TransportContext.java:222) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:491)
> ~[?:?]
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
> ~[?:?]
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
> ~[?:?]
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) ~[?:?]
> at
> io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
> ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
> ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> ... 17 more
> {code}
> error " No appropriate protocol (protocol is disabled or cipher suites are
> inappropriate)"
> I wonder if TLSv1.3 is really supported in zookeeper or not, if yes then from
> which version onwards?
> so, would need help to enable TLSv1.3 support,
> let us know if any further information required.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
