[
https://issues.apache.org/jira/browse/ZOOKEEPER-4987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Santosh Kumar Sahu updated ZOOKEEPER-4987:
------------------------------------------
Priority: Blocker (was: Critical)
> zookeeper client fails to fallback to tls1.2 when tls1.3 ciphers are not
> correct / zookeeper client fails to fallback to tls1.3 when tls1.2 ciphers
> are not correct
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4987
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4987
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client
> Environment: Dockerized environment
> using jdk 17
>
> Reporter: Santosh Kumar Sahu
> Priority: Blocker
>
> Hi we have 2 microservices, 1. zookeeper based 2. kafka based
> For zookeeper configuration , we have configured with below parameters
> related to tls -
> ssl.protocol=TLSv1.3
> ssl.quorum.protocol=TLSv1.3
> ssl.enabledProtocols=TLSv1.3,TLSv1.2
> ssl.quorum.enabledProtocols=TLSv1.3,TLSv1.2
> Also jvm opts for zookeeper we have below opts -
> -Djdk.tls.client.protocols=TLSv1.3,TLSv1.2 -Dhttps.protocols=TLSv1.3,TLSv1.2
> From kafka side we are setting below 2 configuration parameters in properties
> file which is used to start kafka server -
> zookeeper.ssl.protocol: "TLSv1.3"
> zookeeper.ssl.enabled.protocols: "TLSv1.3,TLSv1.2"
>
> for kafka , we have below opts for jvm
> -Djdk.tls.client.protocols=TLSv1.3,TLSv1.2 -Dhttps.protocols=TLSv1.3,TLSv1.2
>
> Zookeeper server version - 3.8.4
> Kafka server version - 3.9.0
> inside kafka java class load path we are adding zookeeper server binary,
> because its zookeeper client component used by kafka for communicating with
> zookeeper server.
> So that zookeeper client version is 3.9.2
>
> Now it was observed that, kafka uses TLSv1.3 to communicate with zookeeper
> which is okay, because zookeeper support both TLSv1.2 and TLSv1.3.
> But if I dont set TLS1.3 related ciphers and only set TLS1.2 related ciphers
> to zookeeper, ideally kafka also fallback to TLS1.2 and keep using TLSv1.2
> for ssl handshake. But that doesnt happen.
> As we have set only TLS1.2 related ciphers to zookeeper, zookeeper server
> falls back to TLS1.2 and expects that kafka should use TLS1.2 only but kafka
> still uses TLS1.3 and below error messages are printed in zookeeper logs -
> and kafka pods doesnt come up -
>
> {"message":"Caused by: javax.net.ssl.SSLHandshakeException: The client
> supported protocol versions [TLSv1.3] are not accepted by server preferences
> [TLSv1.2]","metadata":\{"container_name":"zookeeper","namespace":"namespace1","pod_name":"zookeeper-0"},"service_id":"zookeeper","severity":"info","timestamp":"2025-10-09T08:50:15.443+00:00","version":"1.2.0"}
> {"message":"\tat
> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)","metadata":\{"container_name":"zookeeper","namespace":"namespace1","pod_name":"zookeeper-0"},"service_id":"zookeeper","severity":"info","timestamp":"2025-10-09T08:50:15.443+00:00","version":"1.2.0"}
> {"message":"\tat
> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)","metadata":\{"container_name":"zookeeper","namespace":"namespace1","pod_name":"zookeeper-0"},"service_id":"zookeeper","severity":"info","timestamp":"2025-10-09T08:50:15.443+00:00","version":"1.2.0"}
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
