Unsubscribe link?
-Brian
-----Original Message-----
From: Andor Molnar <an...@apache.org>
Sent: Wednesday, November 27, 2024 3:35 PM
To: d...@zookeeper.apache.org; zk user <user@zookeeper.apache.org>
Subject: Re: ZK upgrade from 3.9.1 to 3.9.2
What's the client's version?
On Wed, 2024-11-27 at 14:21 -0600, Andor Molnar wrote:
> Would you please share the log files as well?
> I'm interested in the server logs something like
>
> LOG.info("Default TLS protocol is {}, supported TLS protocols are {}",
> defaultProtocol, supported);
>
>
>
>
> On Wed, 2024-11-27 at 14:19 -0600, Andor Molnar wrote:
> > I think this must related to this change:
> >
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fiss
> > ues.apache.org%2Fjira%2Fbrowse%2FZOOKEEPER-4415&data=05%7C02%7C%7C9a
> > 39a4e54b0c40dde63408dd0f231da5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C
> > 1%7C0%7C638683365675752225%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiO
> > nRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyf
> > Q%3D%3D%7C0%7C%7C%7C&sdata=Rsd9riI0XQDi%2B5YXoX9s%2BgY3uhkwUiF0HdIxz
> > 5bNgE8%3D&reserved=0
> >
> > ---------------------------------------------------
> > * *ssl.protocol* and *ssl.quorum.protocol* :
> > (Java system properties: **zookeeper.ssl.protocol** and
> > **zookeeper.ssl.quorum.protocol**)
> > **New in 3.5.5:**
> > Specifies to protocol to be used in client and quorum TLS
> > negotiation.
> > Default: TLSv1.3 or TLSv1.2 depending on Java runtime version
> > being used.
> >
> > * *ssl.enabledProtocols* and *ssl.quorum.enabledProtocols* :
> > (Java system properties: **zookeeper.ssl.enabledProtocols** and
> > **zookeeper.ssl.quorum.enabledProtocols**)
> > **New in 3.5.5:**
> > Specifies the enabled protocols in client and quorum TLS
> > negotiation.
> > Default: TLSv1.3, TLSv1.2 if value of `protocol` property is
> > TLSv1.3. TLSv1.2 if `protocol` is TLSv1.2.
> > ---------------------------------------------------
> >
> > I assume you didn't have any of these settings in your original
> > zoo.cfg configuration, so with the upgrade the default value of
> > ssl.protocol has been changed to TLSv1.3 (IBM JDK should support
> > that), but in which case the server should accept both 1.2 and 1.3
> > clients.
> >
> > Let me dig deeper.
> >
> >
> >
> >
> > On Wed, 2024-11-27 at 14:08 -0600, Andor Molnar wrote:
> > > Hi Aayush,
> > >
> > > Thanks for the report. I'm sure I've seen this problem reported
> > > already, let me dig the archives.
> > >
> > > Basically you're saying that accepted TLS protocol has been
> > > changed from TLSv2 to TLSv3, is that correct?
> > >
> > > Best,
> > > Andor
> > >
> > >
> > >
> > >
> > > On Wed, 2024-11-27 at 17:14 +0000, Aayush Gupta wrote:
> > > >
> > > > Hii ,
> > > >
> > > > We upgraded from Zookeeper 3.9.1 to 3.9.2. TLS was configured
> > > > before the upgrade. No TLS version specified as part of zoo.cfg.
> > > > Post upgrade, client to server connection is broken with TLS
> > > > error (The client supported protocol versions [TLSv1.2, TLSv1.1,
> > > > TLSv1] are not accepted by server preferences [TLS13]). Looking
> > > > at the logs, client is using TLS 1.2 and but it looks like
> > > > server is forcing to use TLS 1.3. Its IBM JDK. Post this, made
> > > > below changes to zoo.cfg and client-server connection worked
> > > > fine. ssl.protocol=TLSv1.2. Is this a new change in 3.9.2 which
> > > > forces to use 1.3 by default?
> > > >
> > > > Also , we have raised a Jira.
> > > >
> > > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2
> > > > Fissues.apache.org%2Fjira%2Fbrowse%2FZOOKEEPER-4888&data=05%7C02
> > > > %7C%7C9a39a4e54b0c40dde63408dd0f231da5%7C84df9e7fe9f640afb435aaa
> > > > aaaaaaaaa%7C1%7C0%7C638683365675788594%7CUnknown%7CTWFpbGZsb3d8e
> > > > yJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOI
> > > > joiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=pgVXb%2BWOcNSj26%
> > > > 2BKTyIE6lFuK1ZFdY6XTxIAdvSyfi8%3D&reserved=0
> > > >
> > > > We would really appreciate if we could get a quick solution to
> > > > the issue.
> > > >
> > > > Thanks,
> > > > Aayush
> > > >
> > > >
> > > >
> > > >
> > > > -
> > > > Aayush Gupta
> > > > Software Engineer II
> > > > Precisely.com
> > > >
> > > > p
> > > >
> > > > ATTENTION: -----
> > > > The information contained in this message (including any files
> > > > transmitted with this message) may contain proprietary, trade
> > > > secret or other confidential and/or legally privileged
> > > > information.
> > > > Any
> > > > pricing information contained in this message or in any files
> > > > transmitted with this message is always confidential and cannot
> > > > be shared with any third parties without prior written approval
> > > > from Precisely. This message is intended to be read only by the
> > > > individual or entity to whom it is addressed or by their
> > > > designee. If the reader of this message is not the intended
> > > > recipient, you are on notice that any use, disclosure, copying
> > > > or distribution of this message, in any form, is strictly
> > > > prohibited. If you have received this message in error, please
> > > > immediately notify the sender and/or Precisely and destroy all
> > > > copies of this message in your possession, custody or control.
> > >
> >
>
