Kelly Schoenhofen created ZOOKEEPER-3622: --------------------------------------------
Summary: ZooKeeper 3.5.6 Quorum TLS protocol issues Key: ZOOKEEPER-3622 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3622 Project: ZooKeeper Issue Type: Bug Components: server Affects Versions: 3.5.6 Reporter: Kelly Schoenhofen Using 3.5.6 I have quorum tls working, but I'm being asked to tighten up from the default of AES128 & TLS 1.2, I've tried the following in the zoo.cfg: ssl.quorum.protocol=TLSv1.3 This is apparently not supported yet - is this dependent on the version of openssl on the system, or is this just not an option I can specify? Where can I find the list of protocols that are recognized? If 1.3 is not yet available, not the end of the world. ssl.quorum.ciphersuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 This is not a recognized cipher, neither is AES256/SHA256. The above cipher _should_ be available though, and is the stronger successor to AES128/SHA256. I have the suspicion that I'm setting it wrong, because if I set it to the cipher it defaults to when unset: ssl.quorum.ciphersuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Gives me this when cluster members try to connect: 2019-11-16 19:39:33,731 [myid:1] - INFO [xxx/x.x.x.x:3888:UnifiedServerSocket$UnifiedSocket@273] - Accepted TLS connection from xxx/x.x.x.x:40822 - NONE - SSL_NULL_WITH_NULL_NULL 2019-11-16 19:39:33,732 [myid:1] - WARN [xxx/x.x.x.x:3888:QuorumCnxManager@542] - Exception reading or writing challenge: {} (the only alteration I made to the above snippet is changing the machine names to xxx and ip's to x.x.x.x, I altered it in no other way) So two questions: 1) is tls 1.3 an option? 2) what is the cipher list? I would like an aes256 option. -- This message was sent by Atlassian Jira (v8.3.4#803005)