Thanks for your response.
I got it working by removing my protocol setting from the configuration
on the 3.11.1 node so it use the default protocol setting, I'm not sure
exactly how that change things so I need to investigate that. We don't
have any custom ssl settings that should affect this and we use
jdk1.8.0_152.
But I think this should have worked, as you say SSLv2Hello should be
enabled on the server side so I don't understand why I can't specify TLSv1.2
/Tommy
On 2018-01-17 11:03, Stefan Podkowinski wrote:
I think what this error indicates is that a client is trying to connect
using a SSLv2Hello handshake, while this protocol has been disabled on
the server side. Starting with the mentioned ticket, we use the JVM
default list of enabled protocols. What makes this issue a bit
confusing, is that starting with 1.7 SSLv2Hello should be disabled by
default on the client side, but not on the server side. Cassandra should
be able to accept SSLv2Hello connections from 3.0 nodes just fine. What
JRE do you use? Any custom ssl specific settings that might be effective
here?
On 16.01.2018 15:13, Tommy Stendahl wrote:
Hi,
I have problems upgrading a cluster from 3.0.14 to 3.11.1 but when I
upgrade the first node it fails to gossip.
I have server encryption enabled on all nodes with this setting:
server_encryption_options:
internode_encryption: all
keystore: /usr/share/cassandra/.ssl/server/keystore.jks
keystore_password: 'xxxxxxxxxxxxx'
truststore: /usr/share/cassandra/.ssl/server/truststore.jks
truststore_password: 'xxxxxxxxxxxxx'
protocol: TLSv1.2
cipher_suites:
[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA]
I get this error in the log:
2018-01-16T14:41:19.671+0100 ERROR [ACCEPT-/10.61.204.16]
MessagingService.java:1329 SSL handshake error for inbound connection
from 30f93bf4[SSL_NULL_WITH_NULL_NULL:
Socket[addr=/x.x.x.x,port=40583,localport=7001]]
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at
sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:637)
~[na:1.8.0_152]
at sun.security.ssl.InputRecord.read(InputRecord.java:527)
~[na:1.8.0_152]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
~[na:1.8.0_152]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
~[na:1.8.0_152]
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:938)
~[na:1.8.0_152]
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
~[na:1.8.0_152]
at sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
~[na:1.8.0_152]
at java.io.DataInputStream.readInt(DataInputStream.java:387)
~[na:1.8.0_152]
at
org.apache.cassandra.net.MessagingService$SocketThread.run(MessagingService.java:1303)
~[apache-cassandra-3.11.1.jar:3.11.1]
I suspect that this has something to do with the change in
CASSANDRA-10508. Any suggestions on how to get around this would be very
much appreciated.
Thanks, /Tommy
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org
For additional commands, e-mail: user-h...@cassandra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org
For additional commands, e-mail: user-h...@cassandra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org
For additional commands, e-mail: user-h...@cassandra.apache.org
