I think what this error indicates is that a client is trying to connect using a SSLv2Hello handshake, while this protocol has been disabled on the server side. Starting with the mentioned ticket, we use the JVM default list of enabled protocols. What makes this issue a bit confusing, is that starting with 1.7 SSLv2Hello should be disabled by default on the client side, but not on the server side. Cassandra should be able to accept SSLv2Hello connections from 3.0 nodes just fine. What JRE do you use? Any custom ssl specific settings that might be effective here?
On 16.01.2018 15:13, Tommy Stendahl wrote: > Hi, > > I have problems upgrading a cluster from 3.0.14 to 3.11.1 but when I > upgrade the first node it fails to gossip. > > I have server encryption enabled on all nodes with this setting: > > server_encryption_options: > internode_encryption: all > keystore: /usr/share/cassandra/.ssl/server/keystore.jks > keystore_password: 'xxxxxxxxxxxxx' > truststore: /usr/share/cassandra/.ssl/server/truststore.jks > truststore_password: 'xxxxxxxxxxxxx' > protocol: TLSv1.2 > cipher_suites: > [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA] > > > I get this error in the log: > > 2018-01-16T14:41:19.671+0100 ERROR [ACCEPT-/10.61.204.16] > MessagingService.java:1329 SSL handshake error for inbound connection > from 30f93bf4[SSL_NULL_WITH_NULL_NULL: > Socket[addr=/x.x.x.x,port=40583,localport=7001]] > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > at > sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:637) > ~[na:1.8.0_152] > at sun.security.ssl.InputRecord.read(InputRecord.java:527) > ~[na:1.8.0_152] > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983) > ~[na:1.8.0_152] > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) > ~[na:1.8.0_152] > at > sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:938) > ~[na:1.8.0_152] > at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) > ~[na:1.8.0_152] > at sun.security.ssl.AppInputStream.read(AppInputStream.java:71) > ~[na:1.8.0_152] > at java.io.DataInputStream.readInt(DataInputStream.java:387) > ~[na:1.8.0_152] > at > org.apache.cassandra.net.MessagingService$SocketThread.run(MessagingService.java:1303) > ~[apache-cassandra-3.11.1.jar:3.11.1] > > I suspect that this has something to do with the change in > CASSANDRA-10508. Any suggestions on how to get around this would be very > much appreciated. > > Thanks, /Tommy > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > For additional commands, e-mail: user-h...@cassandra.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
