[ https://issues.apache.org/jira/browse/CASSANDRA-14842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16670012#comment-16670012 ]
Tommy Stendahl commented on CASSANDRA-14842: -------------------------------------------- To troubleshot this further I added a little custom logging. In {{NettyFactory.InboundInitializer.initChannel()}} I added: {code:java} logger.info("inbound enabled {}", Arrays.asList(sslHandler.engine().getEnabledProtocols())); logger.info("inbound supported {}", Arrays.asList(sslHandler.engine().getSupportedProtocols())); {code} And in {{NettyFactory.OutboundInitializer.initChannel()}} I added: {code:java} logger.info("outbound enabled {}", Arrays.asList(sslHandler.engine().getEnabledProtocols())); logger.info("outbound supported {}", Arrays.asList(sslHandler.engine().getSupportedProtocols())); {code} In the log I get: {noformat} 2018-10-30T13:49:57.120+0100 [MessagingService-NettyOutbound-Thread-4-4] INFO o.a.c.n.a.NettyFactory$OutboundInitializer:375 initChannel outbound enabled [TLSv1, TLSv1.1, TLSv1.2] 2018-10-30T13:49:57.120+0100 [MessagingService-NettyOutbound-Thread-4-4] INFO o.a.c.n.a.NettyFactory$OutboundInitializer:376 initChannel outbound supported [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2] 2018-10-30T13:49:57.184+0100 [MessagingService-NettyInbound-Thread-3-3] INFO o.a.c.n.a.NettyFactory$InboundInitializer:297 initChannel inbound enabled [TLSv1, TLSv1.1, TLSv1.2] 2018-10-30T13:49:57.184+0100 [MessagingService-NettyInbound-Thread-3-3] INFO o.a.c.n.a.NettyFactory$InboundInitializer:298 initChannel inbound supported [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]{noformat} So SSLv2Hello is not enabled. After a bit of investigation it seams that the default in Netty is {{[TLSv1, TLSv1.1, TLSv1.2]}}, [Netty default protocol|https://github.com/netty/netty/blob/4.1/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java#L111]. Also I don't think the {{protocol}} parameter in the {{server_encryption_options}} is used in this context, regardless of what I set it to in the yaml file I get the Netty default as enabled protocols. > SSL connection problems when upgrading to 4.0 when upgrading from 3.0.x > ----------------------------------------------------------------------- > > Key: CASSANDRA-14842 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14842 > Project: Cassandra > Issue Type: Bug > Reporter: Tommy Stendahl > Priority: Major > > While testing to upgrade from 3.0.15 to 4.0 the old nodes fails to connect to > the 4.0 node, I get this exception on the 4.0 node: > > {noformat} > 2018-10-22T11:57:44.366+0200 ERROR [MessagingService-NettyInbound-Thread-3-8] > InboundHandshakeHandler.java:300 Failed to properly handshake with peer > /10.216.193.246:58296. Closing the channel. > io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: > SSLv2Hello is disabled > at > io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) > at > io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) > at > io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) > at > io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) > at > io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) > at > io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:808) > at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:417) > at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:317) > at > io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) > at > io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) > at java.lang.Thread.run(Thread.java:748) > Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:637) > at sun.security.ssl.InputRecord.read(InputRecord.java:527) > at sun.security.ssl.EngineInputRecord.read(EngineInputRecord.java:382) > at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:962) > at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) > at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294) > at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1275) > at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1177) > at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1221) > at > io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) > at > io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) > ... 14 common frames omitted{noformat} > In the server encryption options on the 4.0 node I have both "enabled and > "enable_legacy_ssl_storage_port" set to true so it should accept incoming > connections on the "ssl_storage_port". > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org