Kelly Schoenhofen created ZOOKEEPER-3622:
--------------------------------------------
Summary: ZooKeeper 3.5.6 Quorum TLS protocol issues
Key: ZOOKEEPER-3622
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3622
Project: ZooKeeper
Issue Type: Bug
Components: server
Affects Versions: 3.5.6
Reporter: Kelly Schoenhofen
Using 3.5.6 I have quorum tls working, but I'm being asked to tighten up from
the default of AES128 & TLS 1.2, I've tried the following in the zoo.cfg:
ssl.quorum.protocol=TLSv1.3
This is apparently not supported yet - is this dependent on the version of
openssl on the system, or is this just not an option I can specify? Where can I
find the list of protocols that are recognized? If 1.3 is not yet available,
not the end of the world.
ssl.quorum.ciphersuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
This is not a recognized cipher, neither is AES256/SHA256. The above cipher
_should_ be available though, and is the stronger successor to AES128/SHA256.
I have the suspicion that I'm setting it wrong, because if I set it to the
cipher it defaults to when unset:
ssl.quorum.ciphersuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Gives me this when cluster members try to connect:
2019-11-16 19:39:33,731 [myid:1] - INFO
[xxx/x.x.x.x:3888:UnifiedServerSocket$UnifiedSocket@273] - Accepted TLS
connection from xxx/x.x.x.x:40822 - NONE - SSL_NULL_WITH_NULL_NULL
2019-11-16 19:39:33,732 [myid:1] - WARN [xxx/x.x.x.x:3888:QuorumCnxManager@542]
- Exception reading or writing challenge: {}
(the only alteration I made to the above snippet is changing the machine names
to xxx and ip's to x.x.x.x, I altered it in no other way)
So two questions:
1) is tls 1.3 an option?
2) what is the cipher list? I would like an aes256 option.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
