[
https://issues.apache.org/jira/browse/ZOOKEEPER-4392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anoop Negi updated ZOOKEEPER-4392:
----------------------------------
Issue Type: Bug (was: Test)
Priority: Blocker (was: Major)
> Zookeeper 3.6.2 : The client supported protocol versions [TLSv1.3] are not
> accepted by server preferences
> ---------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4392
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4392
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.7.0, 3.6.2
> Environment: Kubernetes
> Reporter: Anoop Negi
> Priority: Blocker
>
> We are trying to add TLSv1.3 support in Zookeeper, currently by default
> TLSv1.2 is supported.
> Following are the configuration
>
> {code:java}
> ssl.protocol=TLSv1.3
> ssl.enabledProtocols=TLSv1.3,TLSv1.2
> serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
> sslQuorumReloadCertFiles=true
> quorumListenOnAllIPs=true
> secureClientPort=2281
> sslQuorum=false
> portUnification=true
> ssl.quorum.clientAuth=need
> ssl.quorum.hostnameVerification=true
> ssl.quorum.keyStore.location=/opt/zookeeper/cert/cert1.pem
> ssl.quorum.trustStore.location=/opt/zookeeper/cert/cacert.pem
> ssl.trustStore.location=/opt/zookeeper/cert/ca/clientcacert.pem
> ssl.keyStore.location=/opt/zookeeper/cert/cert1.pem
> ssl.clientAuth=need
> {code}
> by setting "*ssl.enabledProtocols=TLSv1.3,TLSv1.2*", only TLSv1.2
> communication is working but for TLSv1.3 following error coming
>
> {code:java}
> 2021-10-07T12:24:44.121+0000 [myid:] - ERROR
> [nioEventLoopGroup-4-2:NettyServerCnxnFactory$CertificateVerifier@434] -
> Unsuccessful handshake with session 0 x0
> 2021-10-07T12:24:44.123+0000 [myid:] - WARN
> [nioEventLoopGroup-4-2:NettyServerCnxnFactory$CnxnChannelHandler@273] -
> Exception caught
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException:
> The client supported protocol versions [TLSv1.3] are not accepted by server p
> references [TLS12]
> at
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471)
> ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
> ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
> [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
> [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
> [netty-transport-4.1.50.Final.jar:4.1.50. Final]
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final ]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
> [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
> [netty-transport-4.1.50.Final.jar:4.1.5 0.Final]
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at java.lang.Thread.run(Thread.java:829) [?:?]
> Caused by: javax.net.ssl.SSLHandshakeException: The client supported protocol
> versions [TLSv1.3] are not accepted by server preferences [TLS12]
> at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
> at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
> ~[?:?]
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
> ~[?:?]
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:283)
> ~[?:?]
> at
> sun.security.ssl.ClientHello$ClientHelloConsumer.negotiateProtocol(ClientHello.java:916)
> ~[?:?]
> at
> sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:832)
> ~[?:?]
> at
> sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813)
> ~[?:?]
> at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
> at
> sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
> ~[?:?]
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
> ~[?:?]
> at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
> ~[?:?]
> at
> io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
> ~[netty-codec-4.1.50.Final.jar:4.1.50. Final]
> at
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
> ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> ... 17 more
> {code}
> error"The client supported protocol versions [TLSv1.3] are not accepted by
> server preferences"
>
>
> Zookeeper using *netty 4.1.50 which support TLSv1.3*( netty 4.1.31 onwards
> support TLSv1.3 ref: [https://netty.io/news/2018/10/30/4-1-31-Final.html])
> when trying to openssl with -tls1_3 to connect with zookeeper over TLS port
> it failed with following error coming
> {code:java}
> openssl s_client --connect zookeeper1:2281 --cert
> /run/secret/client/clicert.pem --key /run/secret/client/cliprivkey.pem
> --CAfile /run/secret/ca/cacert.pem -tls1_3
> CONNECTED(00000003)
> 140629337047680:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
> protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 318 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> {code}
>
> and if *ssl.enabledProtocols=TLSv1.3* (only TLSv1.3) then TLSv1.2 also not
> working and following error coming in logs
> {code:java}
> at
> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
> [netty-transport-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> [netty-common-4.1.50.Final.jar:4.1.50.Final]
> at java.lang.Thread.run(Thread.java:829) [?:?]
> Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol
> (protocol is disabled or cipher suites are inappropriate)
> at
> sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:170) ~[?:?]
> at
> sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
> ~[?:?]
> at
> sun.security.ssl.TransportContext.kickstart(TransportContext.java:222) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:491)
> ~[?:?]
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454)
> ~[?:?]
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433)
> ~[?:?]
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) ~[?:?]
> at
> io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
> ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
> ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> at
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
> ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
> ... 17 more
> {code}
> error " No appropriate protocol (protocol is disabled or cipher suites are
> inappropriate)"
> I wonder if TLSv1.3 is really supported in zookeeper or not, if yes then from
> which version onwards?
> so, would need help to enable TLSv1.3 support,
> let us know if any further information required.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
