If i remember correctly the protocol names differ between some JRE vendors.
With IBM Java for instance the protocol name would be TLSv12 ( without . ). Are you using the same JRE on all nodes and is the protocol name and cipher names exactly the same on all nodes? 2018-01-17 14:51 GMT+01:00 Tommy Stendahl <tommy.stend...@ericsson.com>: > Thanks for your response. > > I got it working by removing my protocol setting from the configuration on > the 3.11.1 node so it use the default protocol setting, I'm not sure > exactly how that change things so I need to investigate that. We don't have > any custom ssl settings that should affect this and we use jdk1.8.0_152. > > But I think this should have worked, as you say SSLv2Hello should be > enabled on the server side so I don't understand why I can't specify TLSv1.2 > > /Tommy > > > On 2018-01-17 11:03, Stefan Podkowinski wrote: > >> I think what this error indicates is that a client is trying to connect >> using a SSLv2Hello handshake, while this protocol has been disabled on >> the server side. Starting with the mentioned ticket, we use the JVM >> default list of enabled protocols. What makes this issue a bit >> confusing, is that starting with 1.7 SSLv2Hello should be disabled by >> default on the client side, but not on the server side. Cassandra should >> be able to accept SSLv2Hello connections from 3.0 nodes just fine. What >> JRE do you use? Any custom ssl specific settings that might be effective >> here? >> >> On 16.01.2018 15:13, Tommy Stendahl wrote: >> >>> Hi, >>> >>> I have problems upgrading a cluster from 3.0.14 to 3.11.1 but when I >>> upgrade the first node it fails to gossip. >>> >>> I have server encryption enabled on all nodes with this setting: >>> >>> server_encryption_options: >>> internode_encryption: all >>> keystore: /usr/share/cassandra/.ssl/server/keystore.jks >>> keystore_password: 'xxxxxxxxxxxxx' >>> truststore: /usr/share/cassandra/.ssl/server/truststore.jks >>> truststore_password: 'xxxxxxxxxxxxx' >>> protocol: TLSv1.2 >>> cipher_suites: >>> [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_ >>> AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA] >>> >>> >>> I get this error in the log: >>> >>> 2018-01-16T14:41:19.671+0100 ERROR [ACCEPT-/10.61.204.16] >>> MessagingService.java:1329 SSL handshake error for inbound connection >>> from 30f93bf4[SSL_NULL_WITH_NULL_NULL: >>> Socket[addr=/x.x.x.x,port=40583,localport=7001]] >>> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled >>> at >>> sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:637) >>> ~[na:1.8.0_152] >>> at sun.security.ssl.InputRecord.read(InputRecord.java:527) >>> ~[na:1.8.0_152] >>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl. >>> java:983) >>> ~[na:1.8.0_152] >>> at >>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSo >>> cketImpl.java:1385) >>> ~[na:1.8.0_152] >>> at >>> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:938) >>> ~[na:1.8.0_152] >>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) >>> ~[na:1.8.0_152] >>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:71) >>> ~[na:1.8.0_152] >>> at java.io.DataInputStream.readInt(DataInputStream.java:387) >>> ~[na:1.8.0_152] >>> at >>> org.apache.cassandra.net.MessagingService$SocketThread.run( >>> MessagingService.java:1303) >>> ~[apache-cassandra-3.11.1.jar:3.11.1] >>> >>> I suspect that this has something to do with the change in >>> CASSANDRA-10508. Any suggestions on how to get around this would be very >>> much appreciated. >>> >>> Thanks, /Tommy >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org >>> For additional commands, e-mail: user-h...@cassandra.apache.org >>> >>> --------------------------------------------------------------------- >> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org >> For additional commands, e-mail: user-h...@cassandra.apache.org >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > For additional commands, e-mail: user-h...@cassandra.apache.org > >
