Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-4415

Zookeeper 3.7.0 : The client supported protocol versions [TLSv1.3] are not accepted by server preferences

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Blocker
    • Resolution: Unresolved
    • 3.7.0
    • None
    • server

    Description

      We are trying to add TLSv1.3 support in Zookeeper, currently by default TLSv1.2 is supported.

      Following are the configuration

      ssl.protocol=TLSv1.3
      ssl.enabledProtocols=TLSv1.3,TLSv1.2
      serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
      sslQuorumReloadCertFiles=true
      quorumListenOnAllIPs=true
      secureClientPort=2281
      sslQuorum=false
      portUnification=true
      ssl.quorum.clientAuth=need
      ssl.quorum.hostnameVerification=true
      ssl.quorum.keyStore.location=/opt/zookeeper/cert/cert1.pem
      ssl.quorum.trustStore.location=/opt/zookeeper/cert/cacert.pem
      ssl.trustStore.location=/opt/zookeeper/cert/ca/clientcacert.pem
      ssl.keyStore.location=/opt/zookeeper/cert/cert1.pem
      ssl.clientAuth=need
      
      

      by setting  "ssl.enabledProtocols=TLSv1.3,TLSv1.2", only TLSv1.2 communication is working but for TLSv1.3 following error coming

       

      2021-10-07T12:24:44.121+0000 [myid:] - ERROR [nioEventLoopGroup-4-2:NettyServerCnxnFactory$CertificateVerifier@434] - Unsuccessful handshake with session 0                          x0
      2021-10-07T12:24:44.123+0000 [myid:] - WARN  [nioEventLoopGroup-4-2:NettyServerCnxnFactory$CnxnChannelHandler@273] - Exception caught
      io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: The client supported protocol versions [TLSv1.3] are not accepted by server p                          references [TLS12]
              at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.50.Final.jar:4.1.5                          0.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.50.Final.jar:4.1.5                          0.Final]
              at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.50.Final.jar:4.1.50.                          Final]
              at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.50.Final.jar:4.1.50.Final                          ]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.50.Final.jar:4.1.5                          0.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.50.Final.jar:4.1.5                          0.Final]
              at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-common-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-common-4.1.50.Final.jar:4.1.50.Final]
              at java.lang.Thread.run(Thread.java:829) [?:?]
      Caused by: javax.net.ssl.SSLHandshakeException: The client supported protocol versions [TLSv1.3] are not accepted by server preferences [TLS12]
              at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
              at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
              at sun.security.ssl.TransportContext.fatal(TransportContext.java:336) ~[?:?]
              at sun.security.ssl.TransportContext.fatal(TransportContext.java:292) ~[?:?]
              at sun.security.ssl.TransportContext.fatal(TransportContext.java:283) ~[?:?]
              at sun.security.ssl.ClientHello$ClientHelloConsumer.negotiateProtocol(ClientHello.java:916) ~[?:?]
              at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:832) ~[?:?]
              at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813) ~[?:?]
              at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
              at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
              at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
              at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
              at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
              at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]
              at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-codec-4.1.50.Final.jar:4.1.50.                          Final]
              at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
              ... 17 more
      
      

      error"The client supported protocol versions [TLSv1.3] are not accepted by server preferences"

       

       

      Zookeeper using netty 4.1.50  which support TLSv1.3( netty 4.1.31 onwards support TLSv1.3  ref: https://netty.io/news/2018/10/30/4-1-31-Final.html)

      when trying to openssl with -tls1_3 to connect with zookeeper over TLS port it failed with following error coming

      openssl s_client --connect zookeeper1:2281 --cert /run/secret/client/clicert.pem --key /run/secret/client/cliprivkey.pem --CAfile /run/secret/ca/cacert.pem -tls1_3
      CONNECTED(00000003)
      140629337047680:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
      ---
      no peer certificate available
      ---
      No client certificate CA names sent
      ---
      SSL handshake has read 7 bytes and written 318 bytes
      Verification: OK
      ---
      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      Early data was not sent
      Verify return code: 0 (ok)
      
      

       

      and if ssl.enabledProtocols=TLSv1.3  (only TLSv1.3) then TLSv1.2 also not working and following error coming in logs

       at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-common-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-common-4.1.50.Final.jar:4.1.50.Final]
              at java.lang.Thread.run(Thread.java:829) [?:?]
      Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
              at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:170) ~[?:?]
              at sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62) ~[?:?]
              at sun.security.ssl.TransportContext.kickstart(TransportContext.java:222) ~[?:?]
              at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:491) ~[?:?]
              at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454) ~[?:?]
              at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433) ~[?:?]
              at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) ~[?:?]
              at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-handler-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
              at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-codec-4.1.50.Final.jar:4.1.50.Final]
              ... 17 more
      
      

      error " No appropriate protocol (protocol is disabled or cipher suites are inappropriate)"

      I wonder if TLSv1.3 is really supported in zookeeper or not, if yes then from which version onwards?

      so, would need help to enable TLSv1.3 support,

      let us know if any further information required.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              xsasahu Santosh Kumar Sahu
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 10m
                  10m