Santosh Kumar Sahu created ZOOKEEPER-4987:
---------------------------------------------
Summary: zookeeper client fails to fallback to tls1.2 when tls1.3
ciphers are not correct / zookeeper client fails to fallback to tls1.3 when
tls1.2 ciphers are not correct
Key: ZOOKEEPER-4987
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4987
Project: ZooKeeper
Issue Type: Bug
Components: java client
Environment: Dockerized environment
using jdk 17
Reporter: Santosh Kumar Sahu
Hi we have 2 microservices, 1. zookeeper based 2. kafka based
For zookeeper configuration , we have configured with below parameters related
to tls -
ssl.protocol=TLSv1.3
ssl.quorum.protocol=TLSv1.3
ssl.enabledProtocols=TLSv1.3,TLSv1.2
ssl.quorum.enabledProtocols=TLSv1.3,TLSv1.2
Also jvm opts for zookeeper we have below opts -
-Djdk.tls.client.protocols=TLSv1.3,TLSv1.2 -Dhttps.protocols=TLSv1.3,TLSv1.2
>From kafka side we are setting below 2 configuration parameters in properties
>file which is used to start kafka server -
zookeeper.ssl.protocol: "TLSv1.3"
zookeeper.ssl.enabled.protocols: "TLSv1.3,TLSv1.2"
for kafka , we have below opts for jvm
-Djdk.tls.client.protocols=TLSv1.3,TLSv1.2 -Dhttps.protocols=TLSv1.3,TLSv1.2
Zookeeper server version - 3.8.4
Kafka server version - 3.9.0
inside kafka java class load path we are adding zookeeper server binary,
because its zookeeper client component used by kafka for communicating with
zookeeper server.
So that zookeeper client version is 3.9.2
Now it was observed that, kafka uses TLSv1.3 to communicate with zookeeper
which is okay, because zookeeper support both TLSv1.2 and TLSv1.3.
But if I dont set TLS1.3 related ciphers and only set TLS1.2 related ciphers
to zookeeper, ideally kafka also fallback to TLS1.2 and keep using TLSv1.2 for
ssl handshake. But that doesnt happen.
As we have set only TLS1.2 related ciphers to zookeeper, zookeeper server falls
back to TLS1.2 and expects that kafka should use TLS1.2 only but kafka still
uses TLS1.3 and below error messages are printed in zookeeper logs - and kafka
pods doesnt come up -
{"message":"Caused by: javax.net.ssl.SSLHandshakeException: The client
supported protocol versions [TLSv1.3] are not accepted by server preferences
[TLSv1.2]","metadata":\{"container_name":"zookeeper","namespace":"namespace1","pod_name":"zookeeper-0"},"service_id":"zookeeper","severity":"info","timestamp":"2025-10-09T08:50:15.443+00:00","version":"1.2.0"}
{"message":"\tat
java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)","metadata":\{"container_name":"zookeeper","namespace":"namespace1","pod_name":"zookeeper-0"},"service_id":"zookeeper","severity":"info","timestamp":"2025-10-09T08:50:15.443+00:00","version":"1.2.0"}
{"message":"\tat
java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)","metadata":\{"container_name":"zookeeper","namespace":"namespace1","pod_name":"zookeeper-0"},"service_id":"zookeeper","severity":"info","timestamp":"2025-10-09T08:50:15.443+00:00","version":"1.2.0"}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
