[jira] [Commented] (ZOOKEEPER-4987) zookeeper client fails to fallback to tls1.2 when tls1.3 ciphers are not correct / zookeeper client fails to fallback to tls1.3 when tls1.2 ciphers are not correct

[Tero Saarni (Jira)]

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18029758#comment-18029758
 ] 

Tero Saarni commented on ZOOKEEPER-4987:
----------------------------------------

The following Kafka settings work for the Zookeeper client when Zookeeper 
server was configured with the default enabled protocols (TLSv1.3 and TLSv1.2) 
but server is restricted to only TLSv1.2 ciphers:

zookeeper.ssl.client.enable=true 
zookeeper.ssl.protocol = TLSv1.3 
zookeeper.ssl.enabled.protocols = TLSv1.2, TLSv1.3 
zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty

> zookeeper client fails to fallback to tls1.2 when tls1.3 ciphers are not 
> correct / zookeeper client fails to fallback to tls1.3 when tls1.2 ciphers 
> are not correct
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-4987
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4987
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: java client, jute, other
>    Affects Versions: 3.9.3
>         Environment: Dockerized environment
> using jdk 17 
>  
>            Reporter: Santosh Kumar Sahu
>            Priority: Blocker
>
> Hi we have 2 microservices, 1. zookeeper based 2. kafka based
> For zookeeper configuration , we have configured with below parameters 
> related to tls - 
>     ssl.protocol=TLSv1.3
>     ssl.quorum.protocol=TLSv1.3
>     ssl.enabledProtocols=TLSv1.3,TLSv1.2
>     ssl.quorum.enabledProtocols=TLSv1.3,TLSv1.2
> Also jvm opts for zookeeper we have below opts - 
> -Djdk.tls.client.protocols=TLSv1.3,TLSv1.2 -Dhttps.protocols=TLSv1.3,TLSv1.2
> From kafka side we are setting below 2 configuration parameters in properties 
> file  which is used to start kafka server - 
>   zookeeper.ssl.protocol: "TLSv1.3"
>   zookeeper.ssl.enabled.protocols: "TLSv1.3,TLSv1.2"
>  
> for kafka , we have below opts for jvm
> -Djdk.tls.client.protocols=TLSv1.3,TLSv1.2 -Dhttps.protocols=TLSv1.3,TLSv1.2
>  
> Zookeeper server version - 3.8.4
> Kafka server version - 3.9.0
> inside kafka java class load path we are adding zookeeper server binary, 
> because its zookeeper client component used by kafka for communicating with 
> zookeeper server.
> So that zookeeper client version is 3.9.2
>  
> Now it was observed that, kafka uses TLSv1.3 to communicate with zookeeper 
> which is okay, because zookeeper support both TLSv1.2 and TLSv1.3.
> But if I dont set TLS1.3 related ciphers  and only set TLS1.2 related ciphers 
> to zookeeper, ideally kafka also fallback to TLS1.2 and keep using TLSv1.2 
> for ssl handshake. But that doesnt happen.
> As we have set only TLS1.2 related ciphers to zookeeper, zookeeper server 
> falls back to TLS1.2 and expects that kafka should use TLS1.2 only but kafka 
> still uses TLS1.3 and below error messages are printed in zookeeper logs - 
> and kafka pods doesnt come up - 
>  
> {"message":"Caused by: javax.net.ssl.SSLHandshakeException: The client 
> supported protocol versions [TLSv1.3] are not accepted by server preferences 
> [TLSv1.2]","metadata":\{"container_name":"zookeeper","namespace":"namespace1","pod_name":"zookeeper-0"},"service_id":"zookeeper","severity":"info","timestamp":"2025-10-09T08:50:15.443+00:00","version":"1.2.0"}
> {"message":"\tat 
> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)","metadata":\{"container_name":"zookeeper","namespace":"namespace1","pod_name":"zookeeper-0"},"service_id":"zookeeper","severity":"info","timestamp":"2025-10-09T08:50:15.443+00:00","version":"1.2.0"}
> {"message":"\tat 
> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)","metadata":\{"container_name":"zookeeper","namespace":"namespace1","pod_name":"zookeeper-0"},"service_id":"zookeeper","severity":"info","timestamp":"2025-10-09T08:50:15.443+00:00","version":"1.2.0"}
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)