We use Oracle jdk1.8.0_152 on all nodes and as I understand oracle use a dot in the protocol name (TLSv1.2) and I use the same protocol name and cipher names in the 3.0.14 nodes and the one I try to upgrade to 3.11.1.

On 2018-01-17 15:02, Georg Brandemann wrote:
If i remember correctly the protocol names differ between some JRE vendors.

With IBM Java for instance the protocol name would be TLSv12 ( without . ).

Are you using the same JRE on all nodes and is the protocol name and cipher names exactly the same on all nodes?

2018-01-17 14:51 GMT+01:00 Tommy Stendahl <tommy.stend...@ericsson.com <mailto:tommy.stend...@ericsson.com>>:

    Thanks for your response.

    I got it working by removing my protocol setting from the
    configuration on the 3.11.1 node so it use the default protocol
    setting, I'm not sure exactly how that change things so I need to
    investigate that. We don't have any custom ssl settings that
    should affect this and we use jdk1.8.0_152.

    But I think this should have worked, as you say SSLv2Hello should
    be enabled on the server side so I don't understand why I can't
    specify TLSv1.2

    /Tommy


    On 2018-01-17 11:03, Stefan Podkowinski wrote:

        I think what this error indicates is that a client is trying
        to connect
        using a SSLv2Hello handshake, while this protocol has been
        disabled on
        the server side. Starting with the mentioned ticket, we use
        the JVM
        default list of enabled protocols. What makes this issue a bit
        confusing, is that starting with 1.7 SSLv2Hello should be
        disabled by
        default on the client side, but not on the server side.
        Cassandra should
        be able to accept SSLv2Hello connections from 3.0 nodes just
        fine. What
        JRE do you use? Any custom ssl specific settings that might be
        effective
        here?

        On 16.01.2018 15:13, Tommy Stendahl wrote:

            Hi,

            I have problems upgrading a cluster from 3.0.14 to 3.11.1
            but when I
            upgrade the first node it fails to gossip.

            I have server encryption enabled on all nodes with this
            setting:

            server_encryption_options:
                 internode_encryption: all
                 keystore: /usr/share/cassandra/.ssl/server/keystore.jks
                 keystore_password: 'xxxxxxxxxxxxx'
                 truststore:
            /usr/share/cassandra/.ssl/server/truststore.jks
                 truststore_password: 'xxxxxxxxxxxxx'
                 protocol: TLSv1.2
                 cipher_suites:
            
[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA]


            I get this error in the log:

            2018-01-16T14:41:19.671+0100 ERROR [ACCEPT-/10.61.204.16
            <http://10.61.204.16>]
            MessagingService.java:1329 SSL handshake error for inbound
            connection
            from 30f93bf4[SSL_NULL_WITH_NULL_NULL:
            Socket[addr=/x.x.x.x,port=40583,localport=7001]]
            javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
                 at
            
sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:637)
            ~[na:1.8.0_152]
                 at
            sun.security.ssl.InputRecord.read(InputRecord.java:527)
            ~[na:1.8.0_152]
                 at
            sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
            ~[na:1.8.0_152]
                 at
            
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
            ~[na:1.8.0_152]
                 at
            
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:938)
            ~[na:1.8.0_152]
                 at
            sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
            ~[na:1.8.0_152]
                 at
            sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
            ~[na:1.8.0_152]
                 at
            java.io.DataInputStream.readInt(DataInputStream.java:387)
            ~[na:1.8.0_152]
                 at
            org.apache.cassandra.net
            
<http://org.apache.cassandra.net>.MessagingService$SocketThread.run(MessagingService.java:1303)
            ~[apache-cassandra-3.11.1.jar:3.11.1]

            I suspect that this has something to do with the change in
            CASSANDRA-10508. Any suggestions on how to get around this
            would be very
            much appreciated.

            Thanks, /Tommy



            
---------------------------------------------------------------------
            To unsubscribe, e-mail:
            user-unsubscr...@cassandra.apache.org
            <mailto:user-unsubscr...@cassandra.apache.org>
            For additional commands, e-mail:
            user-h...@cassandra.apache.org
            <mailto:user-h...@cassandra.apache.org>

        ---------------------------------------------------------------------
        To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org
        <mailto:user-unsubscr...@cassandra.apache.org>
        For additional commands, e-mail:
        user-h...@cassandra.apache.org
        <mailto:user-h...@cassandra.apache.org>





    ---------------------------------------------------------------------
    To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org
    <mailto:user-unsubscr...@cassandra.apache.org>
    For additional commands, e-mail: user-h...@cassandra.apache.org
    <mailto:user-h...@cassandra.apache.org>



Reply via email to