Reputation: 21
Unable to connect to cluster with cqlsh, getting "TLSv1_3 is not a valid SSL protocol"
Unable to connect cassandra 4.0.7 using cqlsh when cassandra is enabled for TLSv1.3. Datastax driver version is driver-3.25.0
./cqlsh --debug --ssl --cqlshrc /apache-cassandra/conf/cqlshrc <IP_ADDRESS> 9042
Using CQL driver: <module 'cassandra' from '/apache-cassandra/bin/../lib/cassandra-driver-internal-only-3.25.0.zip/cassandra-driver-3.25.0/cassandra/__init__.py'>
Using connect timeout: 5 seconds
Using 'utf-8' encoding
Using ssl: True
TLSv1_3 is not a valid SSL protocol, please use one of TLS, TLSv1_2, TLSv1_1, or TLSv1
Please note that all cassandra nodes are up and running , Also the application is running fine.
Upvotes: 1
Views: 946
Answers (2)
Reputation: 16373
Two years ago, some Java versions removed support for TLS v1.0 and v1.1 since they were no longer considered secure (JDK-8202343).
Following on from this move, a check was added to cqlsh to prefer newer TLS versions over older ones (CASSANDRA-16695). However, the change inadvertently didn't include TLS v1.3 as one of the versions.
In Cassandra 4.1, the TLS version-specific check was removed from cqlsh since the driver is able to auto-negotiate to the highest protocol version that both the client and server can support (CASSANDRA-17365).
As a workaround in Cassandra 4.0, do NOT specify a protocol version when connecting to a cluster so the Cassandra Python driver (embedded in cqlsh) will auto-negotiate to TLS v1.3 if the cluster supports it. Cheers!
Upvotes: 1
Reputation: 57798
It looks like the version of cqlsh included with Cassandra 4.0.7 (cqlsh 6.0.0) does not support TLS 1.3. This is explicitly visible in the pylib/cqlshlib/sslhandling.py file in the get_best_tls_protocol method:
if ssl_ver_str:
return getattr(ssl, "PROTOCOL_%s" % ssl_ver_str, None)
for protocol in ['PROTOCOL_TLS', 'PROTOCOL_TLSv1_2', 'PROTOCOL_TLSv1_1', 'PROTOCOL_TLSv1']:
if hasattr(ssl, protocol):
return getattr(ssl, protocol)
return None
One approach here, would be set the version property in the [SSL] section of the cqlshrc file to "TLS":
[ssl]
version = TLS
But the better way is to just not set it. Either of these approaches will cause it to connect while negotiating the highest possible TLS version.
I recommend the latter, as the latest cqlsh version (6.1.0) included with Cassandra 4.1 displays a warning whenever that property is set, disregards its value, and auto-negotiates the TLS version.
Upvotes: 1
Related Questions
- How to connect my Java application to Cassandra running through docker?
- Python Cassandra driver not installed, or not on PYTHONPATH
- Java driver intermittently returns closed channel exceptions connecting to DSE cluster with SSL enabled
- Datastax Cassandra - Cqlsh with SSL not working
- Apache Cassandra 3.7 CQLSH 'Unable to connect to any servers'
- Setup Cassandra container in Github Actions and query
- Can't connect to Cassandra with SSL using cqlsh
- datastax cassandra java NoHostAvailableException
- Connecting to Cassandra (2.1.0) over SSL from cqlsh
- Cassandra : OperationTimedOut: errors={}, last_host=127.0.0.1