This looks like the post-POODLE commit: https://issues.apache.org/jira/browse/CASSANDRA-10508
I think you might just set 'TLS' as in the example to use the JVM's preferred TLS protocol version. -- Michael On 01/16/2018 08:13 AM, Tommy Stendahl wrote: > Hi, > > I have problems upgrading a cluster from 3.0.14 to 3.11.1 but when I > upgrade the first node it fails to gossip. > > I have server encryption enabled on all nodes with this setting: > > server_encryption_options: > internode_encryption: all > keystore: /usr/share/cassandra/.ssl/server/keystore.jks > keystore_password: 'xxxxxxxxxxxxx' > truststore: /usr/share/cassandra/.ssl/server/truststore.jks > truststore_password: 'xxxxxxxxxxxxx' > protocol: TLSv1.2 > cipher_suites: > [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA] > > > I get this error in the log: > > 2018-01-16T14:41:19.671+0100 ERROR [ACCEPT-/10.61.204.16] > MessagingService.java:1329 SSL handshake error for inbound connection > from 30f93bf4[SSL_NULL_WITH_NULL_NULL: > Socket[addr=/x.x.x.x,port=40583,localport=7001]] > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > at > sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:637) > ~[na:1.8.0_152] > at sun.security.ssl.InputRecord.read(InputRecord.java:527) > ~[na:1.8.0_152] > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983) > ~[na:1.8.0_152] > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) > ~[na:1.8.0_152] > at > sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:938) > ~[na:1.8.0_152] > at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) > ~[na:1.8.0_152] > at sun.security.ssl.AppInputStream.read(AppInputStream.java:71) > ~[na:1.8.0_152] > at java.io.DataInputStream.readInt(DataInputStream.java:387) > ~[na:1.8.0_152] > at > org.apache.cassandra.net.MessagingService$SocketThread.run(MessagingService.java:1303) > ~[apache-cassandra-3.11.1.jar:3.11.1] > > I suspect that this has something to do with the change in > CASSANDRA-10508. Any suggestions on how to get around this would be very > much appreciated. > > Thanks, /Tommy > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > For additional commands, e-mail: user-h...@cassandra.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
