We use Oracle jdk1.8.0_152 on all nodes and as I understand oracle use a
dot in the protocol name (TLSv1.2) and I use the same protocol name and
cipher names in the 3.0.14 nodes and the one I try to upgrade to 3.11.1.
On 2018-01-17 15:02, Georg Brandemann wrote:
If i remember correctly the protocol names differ between some JRE
vendors.
With IBM Java for instance the protocol name would be TLSv12 ( without
. ).
Are you using the same JRE on all nodes and is the protocol name and
cipher names exactly the same on all nodes?
2018-01-17 14:51 GMT+01:00 Tommy Stendahl <tommy.stend...@ericsson.com
<mailto:tommy.stend...@ericsson.com>>:
Thanks for your response.
I got it working by removing my protocol setting from the
configuration on the 3.11.1 node so it use the default protocol
setting, I'm not sure exactly how that change things so I need to
investigate that. We don't have any custom ssl settings that
should affect this and we use jdk1.8.0_152.
But I think this should have worked, as you say SSLv2Hello should
be enabled on the server side so I don't understand why I can't
specify TLSv1.2
/Tommy
On 2018-01-17 11:03, Stefan Podkowinski wrote:
I think what this error indicates is that a client is trying
to connect
using a SSLv2Hello handshake, while this protocol has been
disabled on
the server side. Starting with the mentioned ticket, we use
the JVM
default list of enabled protocols. What makes this issue a bit
confusing, is that starting with 1.7 SSLv2Hello should be
disabled by
default on the client side, but not on the server side.
Cassandra should
be able to accept SSLv2Hello connections from 3.0 nodes just
fine. What
JRE do you use? Any custom ssl specific settings that might be
effective
here?
On 16.01.2018 15:13, Tommy Stendahl wrote:
Hi,
I have problems upgrading a cluster from 3.0.14 to 3.11.1
but when I
upgrade the first node it fails to gossip.
I have server encryption enabled on all nodes with this
setting:
server_encryption_options:
internode_encryption: all
keystore: /usr/share/cassandra/.ssl/server/keystore.jks
keystore_password: 'xxxxxxxxxxxxx'
truststore:
/usr/share/cassandra/.ssl/server/truststore.jks
truststore_password: 'xxxxxxxxxxxxx'
protocol: TLSv1.2
cipher_suites:
[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA]
I get this error in the log:
2018-01-16T14:41:19.671+0100 ERROR [ACCEPT-/10.61.204.16
<http://10.61.204.16>]
MessagingService.java:1329 SSL handshake error for inbound
connection
from 30f93bf4[SSL_NULL_WITH_NULL_NULL:
Socket[addr=/x.x.x.x,port=40583,localport=7001]]
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at
sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:637)
~[na:1.8.0_152]
at
sun.security.ssl.InputRecord.read(InputRecord.java:527)
~[na:1.8.0_152]
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
~[na:1.8.0_152]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
~[na:1.8.0_152]
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:938)
~[na:1.8.0_152]
at
sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
~[na:1.8.0_152]
at
sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
~[na:1.8.0_152]
at
java.io.DataInputStream.readInt(DataInputStream.java:387)
~[na:1.8.0_152]
at
org.apache.cassandra.net
<http://org.apache.cassandra.net>.MessagingService$SocketThread.run(MessagingService.java:1303)
~[apache-cassandra-3.11.1.jar:3.11.1]
I suspect that this has something to do with the change in
CASSANDRA-10508. Any suggestions on how to get around this
would be very
much appreciated.
Thanks, /Tommy
---------------------------------------------------------------------
To unsubscribe, e-mail:
user-unsubscr...@cassandra.apache.org
<mailto:user-unsubscr...@cassandra.apache.org>
For additional commands, e-mail:
user-h...@cassandra.apache.org
<mailto:user-h...@cassandra.apache.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org
<mailto:user-unsubscr...@cassandra.apache.org>
For additional commands, e-mail:
user-h...@cassandra.apache.org
<mailto:user-h...@cassandra.apache.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org
<mailto:user-unsubscr...@cassandra.apache.org>
For additional commands, e-mail: user-h...@cassandra.apache.org
<mailto:user-h...@cassandra.apache.org>