Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
3.5.6
-
None
-
None
Description
Using 3.5.6 I have quorum tls working, but I'm being asked to tighten up from the default of AES128 & TLS 1.2, I've tried the following in the zoo.cfg:
ssl.quorum.protocol=TLSv1.3
This is apparently not supported yet - is this dependent on the version of openssl on the system, or is this just not an option I can specify? Where can I find the list of protocols that are recognized? If 1.3 is not yet available, not the end of the world.
ssl.quorum.ciphersuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
This is not a recognized cipher, neither is AES256/SHA256. The above cipher should be available though, and is the stronger successor to AES128/SHA256.
I have the suspicion that I'm setting it wrong, because if I set it to the cipher it defaults to when unset:
ssl.quorum.ciphersuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Gives me this when cluster members try to connect:
2019-11-16 19:39:33,731 [myid:1] - INFO [xxx/x.x.x.x:3888:UnifiedServerSocket$UnifiedSocket@273] - Accepted TLS connection from xxx/x.x.x.x:40822 - NONE - SSL_NULL_WITH_NULL_NULL
2019-11-16 19:39:33,732 [myid:1] - WARN [xxx/x.x.x.x:3888:QuorumCnxManager@542] - Exception reading or writing challenge: {}
(the only alteration I made to the above snippet is changing the machine names to xxx and ip's to x.x.x.x, I altered it in no other way)
So two questions:
1) is tls 1.3 an option?
2) what is the cipher list? I would like an aes256 option.
Update: So I removed all my changes and I kept getting the the SSL_NULL_WITH_NULL_NULL error. I tore everything down, put it all back together, and still got SSL_NULL. Started again with just the first two nodes, very slowly, picking over the log, and then I noticed the initial error that the name in the cert didn't match the name of the server. When I set up the reverse lookup zone in DNS on Friday, I had set the FQDN properly, but over the weekend (while zk hummed along fine) the zone populated and overwrote everything with just the machine names, removing the FQDN. Hence the name not matching.
I manually added the FQDN to the entries, rebooted the servers, and they started working.
Since I was getting SSL_NULL when I got off of trying TLSv1.3 and just trying AES256-SHA384, I tried that again, and it works fine:
2019-11-16 22:20:09,346 [myid:2] - INFO [LearnerHandler-/x.x.x.x:43548:UnifiedServerSocket$UnifiedSocket@273] - Accepted TLS connection from xxx/x.x.x.x:43548 - TLSv1.2 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
So, this is less of a bug and more of a request - is TLS 1.3 an option, and how can I get a cipher list? I have AES256-SHA384 so that's acceptable to the SecOps where I work.