Anoop Negi created ZOOKEEPER-4392:
-------------------------------------
Summary: Zookeeper 3.6.2 : The client supported protocol versions
[TLSv1.3] are not accepted by server preferences
Key: ZOOKEEPER-4392
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4392
Project: ZooKeeper
Issue Type: Test
Components: server
Affects Versions: 3.6.2
Environment: Kubernetes
Reporter: Anoop Negi
We are trying to add TLSv1.3 support in Zookeeper, currently by default TLSv1.2
is supported.
Following are the configuration
{code:java}
ssl.enabled.protocols=TLSv1.3,TLSv1.2
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
sslQuorumReloadCertFiles=true
quorumListenOnAllIPs=true
secureClientPort=2281
sslQuorum=false
portUnification=true
ssl.quorum.clientAuth=need
ssl.quorum.hostnameVerification=true
ssl.quorum.keyStore.location=/opt/zookeeper/cert/cert1.pem
ssl.quorum.trustStore.location=/opt/zookeeper/cert/cacert.pem
ssl.trustStore.location=/opt/zookeeper/cert/ca/clientcacert.pem
ssl.keyStore.location=/opt/zookeeper/cert/cert1.pem
ssl.clientAuth=need
{code}
In zookeeper documentation "*ssl.enabledProtocols"* mentioned to add supported
protocal version but this also not working
by setting "*ssl.enabled.protocols=TLSv1.3,TLSv1.2*", TLSv1.2 communication is
working but for TLSv1.3 following error coming
{code:java}
2021-10-07T12:24:44.121+0000 [myid:] - ERROR
[nioEventLoopGroup-4-2:NettyServerCnxnFactory$CertificateVerifier@434] -
Unsuccessful handshake with session 0 x0
2021-10-07T12:24:44.123+0000 [myid:] - WARN
[nioEventLoopGroup-4-2:NettyServerCnxnFactory$CnxnChannelHandler@273] -
Exception caught
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException:
The client supported protocol versions [TLSv1.3] are not accepted by server p
references [TLS12]
at
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471)
~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[netty-transport-4.1.50.Final.jar:4.1.50. Final]
at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
[netty-transport-4.1.50.Final.jar:4.1.50.Final ]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
at
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
[netty-transport-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
[netty-transport-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
[netty-transport-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
[netty-transport-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
[netty-transport-4.1.50.Final.jar:4.1.50.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
[netty-transport-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
[netty-common-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
[netty-common-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
[netty-common-4.1.50.Final.jar:4.1.50.Final]
at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: The client supported protocol
versions [TLSv1.3] are not accepted by server preferences [TLS12]
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:283)
~[?:?]
at
sun.security.ssl.ClientHello$ClientHelloConsumer.negotiateProtocol(ClientHello.java:916)
~[?:?]
at
sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:832)
~[?:?]
at
sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813)
~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
at
sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
~[?:?]
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at
sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]
at
io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542)
~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556)
~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440)
~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
at
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
~[netty-codec-4.1.50.Final.jar:4.1.50. Final]
at
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
... 17 more
{code}
error"The client supported protocol versions [TLSv1.3] are not accepted by
server preferences"
using *netty 4.1.50 which support TLSv1.3*( netty 4.1.31 onwards support
TLSv1.3 ref: https://netty.io/news/2018/10/30/4-1-31-Final.html)
when trying to openssl with -tls1_3 to connect with zookeeper over TLS port it
failed with following error coming
{code:java}
openssl s_client --connect zookeeper1:2281 --cert
/run/secret/client/clicert.pem --key /run/secret/client/cliprivkey.pem --CAfile
/run/secret/ca/cacert.pem -tls1_3
CONNECTED(00000003)
140629337047680:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 318 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
{code}
so, would need help to enable TLSv1.3 support,
let us know if any further information required.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
