cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tommy Stendahl <tommy.stend...@ericsson.com>
Subject Re: Upgrade to 3.11.1 give SSLv2Hello is disabled error
Date Wed, 17 Jan 2018 14:25:15 GMT
We use Oracle jdk1.8.0_152 on all nodes and as I understand oracle use a 
dot in the protocol name (TLSv1.2) and I use the same protocol name and 
cipher names in the 3.0.14 nodes and the one I try to upgrade to 3.11.1.


On 2018-01-17 15:02, Georg Brandemann wrote:
> If i remember correctly the protocol names differ between some JRE 
> vendors.
>
> With IBM Java for instance the protocol name would be TLSv12 ( without 
> . ).
>
> Are you using the same JRE on all nodes and is the protocol name and 
> cipher names exactly the same on all nodes?
>
> 2018-01-17 14:51 GMT+01:00 Tommy Stendahl <tommy.stendahl@ericsson.com 
> <mailto:tommy.stendahl@ericsson.com>>:
>
>     Thanks for your response.
>
>     I got it working by removing my protocol setting from the
>     configuration on the 3.11.1 node so it use the default protocol
>     setting, I'm not sure exactly how that change things so I need to
>     investigate that. We don't have any custom ssl settings that
>     should affect this and we use jdk1.8.0_152.
>
>     But I think this should have worked, as you say SSLv2Hello should
>     be enabled on the server side so I don't understand why I can't
>     specify TLSv1.2
>
>     /Tommy
>
>
>     On 2018-01-17 11:03, Stefan Podkowinski wrote:
>
>         I think what this error indicates is that a client is trying
>         to connect
>         using a SSLv2Hello handshake, while this protocol has been
>         disabled on
>         the server side. Starting with the mentioned ticket, we use
>         the JVM
>         default list of enabled protocols. What makes this issue a bit
>         confusing, is that starting with 1.7 SSLv2Hello should be
>         disabled by
>         default on the client side, but not on the server side.
>         Cassandra should
>         be able to accept SSLv2Hello connections from 3.0 nodes just
>         fine. What
>         JRE do you use? Any custom ssl specific settings that might be
>         effective
>         here?
>
>         On 16.01.2018 15:13, Tommy Stendahl wrote:
>
>             Hi,
>
>             I have problems upgrading a cluster from 3.0.14 to 3.11.1
>             but when I
>             upgrade the first node it fails to gossip.
>
>             I have server encryption enabled on all nodes with this
>             setting:
>
>             server_encryption_options:
>                  internode_encryption: all
>                  keystore: /usr/share/cassandra/.ssl/server/keystore.jks
>                  keystore_password: 'xxxxxxxxxxxxx'
>                  truststore:
>             /usr/share/cassandra/.ssl/server/truststore.jks
>                  truststore_password: 'xxxxxxxxxxxxx'
>                  protocol: TLSv1.2
>                  cipher_suites:
>             [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA]
>
>
>             I get this error in the log:
>
>             2018-01-16T14:41:19.671+0100 ERROR [ACCEPT-/10.61.204.16
>             <http://10.61.204.16>]
>             MessagingService.java:1329 SSL handshake error for inbound
>             connection
>             from 30f93bf4[SSL_NULL_WITH_NULL_NULL:
>             Socket[addr=/x.x.x.x,port=40583,localport=7001]]
>             javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
>                  at
>             sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:637)
>             ~[na:1.8.0_152]
>                  at
>             sun.security.ssl.InputRecord.read(InputRecord.java:527)
>             ~[na:1.8.0_152]
>                  at
>             sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
>             ~[na:1.8.0_152]
>                  at
>             sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
>             ~[na:1.8.0_152]
>                  at
>             sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:938)
>             ~[na:1.8.0_152]
>                  at
>             sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
>             ~[na:1.8.0_152]
>                  at
>             sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
>             ~[na:1.8.0_152]
>                  at
>             java.io.DataInputStream.readInt(DataInputStream.java:387)
>             ~[na:1.8.0_152]
>                  at
>             org.apache.cassandra.net
>             <http://org.apache.cassandra.net>.MessagingService$SocketThread.run(MessagingService.java:1303)
>             ~[apache-cassandra-3.11.1.jar:3.11.1]
>
>             I suspect that this has something to do with the change in
>             CASSANDRA-10508. Any suggestions on how to get around this
>             would be very
>             much appreciated.
>
>             Thanks, /Tommy
>
>
>
>             ---------------------------------------------------------------------
>             To unsubscribe, e-mail:
>             user-unsubscribe@cassandra.apache.org
>             <mailto:user-unsubscribe@cassandra.apache.org>
>             For additional commands, e-mail:
>             user-help@cassandra.apache.org
>             <mailto:user-help@cassandra.apache.org>
>
>         ---------------------------------------------------------------------
>         To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
>         <mailto:user-unsubscribe@cassandra.apache.org>
>         For additional commands, e-mail:
>         user-help@cassandra.apache.org
>         <mailto:user-help@cassandra.apache.org>
>
>
>
>
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
>     <mailto:user-unsubscribe@cassandra.apache.org>
>     For additional commands, e-mail: user-help@cassandra.apache.org
>     <mailto:user-help@cassandra.apache.org>
>
>


Mime
View raw message