[jira] [Commented] (CASSANDRA-14842) SSL connection problems when upgrading to 4.0 when upgrading from 3.0.x

Tommy Stendahl (JIRA) Fri, 26 Oct 2018 06:59:30 -0700


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-14842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16665214#comment-16665214
 ]


Tommy Stendahl commented on CASSANDRA-14842:
--------------------------------------------

I turned on ssl debugging. I'm no ssl expert in any way so I'm not sure how to 
read these logs but I think I found a few interesting points at least.

When a 3.0.x node successfully connects to another 3.0.x node it looks like 
this:
{noformat}
MessagingService-Outgoing-/10.216.193.246, WRITE: TLSv1.2 Handshake, length = 
124
[write] MD5 and SHA1 hashes: len = 53
0000: 01 03 03 00 0C 00 00 00 20 00 C0 2B 00 C0 2F 00 ........ ..+../.
0010: 00 2F 00 00 FF 5B D3 05 0C 45 21 16 60 C9 F6 34 ./...[...E!.`..4
0020: 53 FD 7F 55 B7 CD DB 23 D5 0D D2 E5 07 29 0A 57 S..U...#.....).W
0030: 76 12 4B 1A 2A v.K.*
MessagingService-Outgoing-/10.216.193.246, WRITE: SSLv2 client hello message, 
length = 53
[Raw write]: length = 55
0000: 80 35 01 03 03 00 0C 00 00 00 20 00 C0 2B 00 C0 .5........ ..+..
0010: 2F 00 00 2F 00 00 FF 5B D3 05 0C 45 21 16 60 C9 /../...[...E!.`.
0020: F6 34 53 FD 7F 55 B7 CD DB 23 D5 0D D2 E5 07 29 .4S..U...#.....)
0030: 0A 57 76 12 4B 1A 2A .Wv.K.*
[Raw read]: length = 5
0000: 16 03 03 11 9B .....{noformat}
When a 4.0 node successfully connect to another 4.0 node I found this:
{noformat}
MessagingService-NettyOutbound-Thread-4-1, WRITE: TLSv1.2 Handshake, length = 
124
[Raw write]: length = 129
0000: 16 03 03 00 7C 01 00 00 78 03 03 5B D3 0F 98 3F ........x..[...?
0010: B4 85 6E 5B 01 1F 73 7B 51 42 15 73 64 30 36 06 ..n[..s.QB.sd06.
0020: 69 0F B9 E2 C3 F6 80 92 CF 36 D2 00 00 06 C0 2B i........6.....+
0030: C0 2F 00 2F 01 00 00 49 00 0A 00 16 00 14 00 17 ././...I........
0040: 00 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E ................
0050: 00 16 00 0B 00 02 01 00 00 0D 00 1C 00 1A 06 03[Raw write]: length = 7
..[Raw write]: length = 7{noformat}
When a 3.0.x node fails to connect to a 4.0 node I got this:
{noformat}
MessagingService-Outgoing-/10.216.193.242, WRITE: TLSv1.2 Handshake, length = 
124
[write] MD5 and SHA1 hashes: len = 53
0000: 01 03 03 00 0C 00 00 00 20 00 C0 2B 00 C0 2F 00 ........ ..+../.
0010: 00 2F 00 00 FF 5B D3 05 0D 29 40 68 39 E9 7F 3F ./...[...)@h9..?
0020: 39 FD 41 C9 98 4A 6F D2 99 46 AD A3 F9 56 36 8B 9.A..Jo..F...V6.
0030: 0F 42 87 D4 F5 .B...
MessagingService-Outgoing-/10.216.193.242, WRITE: SSLv2 client hello message, 
length = 53
[Raw write]: length = 55
0000: 80 35 01 03 03 00 0C 00 00 00 20 00 C0 2B 00 C0 .5........ ..+..
0010: 2F 00 00 2F 00 00 FF 5B D3 05 0D 29 40 68 39 E9 /../...[...)@h9.
0020: 7F 3F 39 FD 41 C9 98 4A 6F D2 99 46 AD A3 F9 56 .?9.A..Jo..F...V
0030: 36 8B 0F 42 87 D4 F5 6..B...
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 0A ..
MessagingService-Outgoing-/10.216.193.242, READ: TLSv1.2 Alert, length = 2
MessagingService-Outgoing-/10.216.193.242, RECV TLSv1.2 ALERT: fatal, 
unexpected_message
MessagingService-Outgoing-/10.216.193.242, called closeSocket(){noformat}
Protocol and cipher_suites are configure the same in all nodes
{noformat}
protocol: TLSv1.2
cipher_suites: 
[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA]{noformat}

> SSL connection problems when upgrading to 4.0 when upgrading from 3.0.x
> -----------------------------------------------------------------------
>
>                 Key: CASSANDRA-14842
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14842
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Tommy Stendahl
>            Priority: Major
>
> While testing to upgrade from 3.0.15 to 4.0 the old nodes fails to connect to 
> the 4.0 node, I get this exception on the 4.0 node:
>  
> {noformat}
> 2018-10-22T11:57:44.366+0200 ERROR [MessagingService-NettyInbound-Thread-3-8] 
> InboundHandshakeHandler.java:300 Failed to properly handshake with peer 
> /10.216.193.246:58296. Closing the channel.
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: 
> SSLv2Hello is disabled
> at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459)
> at 
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
> at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at 
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
> at 
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
> at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
> at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
> at 
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
> at 
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:808)
> at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:417)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:317)
> at 
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884)
> at 
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
> at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:637)
> at sun.security.ssl.InputRecord.read(InputRecord.java:527)
> at sun.security.ssl.EngineInputRecord.read(EngineInputRecord.java:382)
> at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:962)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294)
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1275)
> at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1177)
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1221)
> at 
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
> at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
> ... 14 common frames omitted{noformat}
> In the server encryption options on the 4.0 node I have both "enabled and 
> "enable_legacy_ssl_storage_port" set to true so it should accept incoming 
> connections on the "ssl_storage_port".
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-14842) SSL connection problems when upgrading to 4.0 when upgrading from 3.0.x

Reply via email to