Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Platform] Health check fails if DB TLS version is set to 1.2 #7196

Closed
streddy-yb opened this issue Feb 10, 2021 · 1 comment
Closed

[Platform] Health check fails if DB TLS version is set to 1.2 #7196

streddy-yb opened this issue Feb 10, 2021 · 1 comment
Assignees
@WesleyW
Labels
area/platform Yugabyte Platform priority/high High Priority
Milestone
2.5.x

Comments

@streddy-yb
Copy link
Contributor

If --ssl_protocols (see #6671) gflag is set to TLS1.2 -or- above, then the platform health checks fail because ycqlsh uses TLS1.0 (see #7071).
@streddy-yb streddy-yb added this to the 2.5.x milestone Feb 10, 2021
WesleyW added a commit that referenced this issue Feb 11, 2021
@WesleyW
#7196: Health check should use appropriate version of TLS
5eedcbb 
Summary:
If `ssl_protocols` is added to the tserver gflags, health checks should use the appropriate option
when trying to connect with the sample cqlsh command.

Test Plan: Create tls universe with no gflags and run. Create tls universe with `ssl_protocols` and run.

Reviewers: sanketh, arnav, bogdan, daniel, sb-yb

Reviewed By: sb-yb

Subscribers: jenkins-bot, yugaware

Differential Revision: https://phabricator.dev.yugabyte.com/D10596
WesleyW added a commit that referenced this issue Feb 11, 2021
@WesleyW
[Backport 2.2][#7196] Platform: Health check should use appropriate v…
2b421e9 
…ersion of TLS

Summary: If `ssl_protocols` is added to the tserver gflags, health checks should use the appropriate option when trying to connect with the sample cqlsh command.

Test Plan:
Create tls universe with no gflags and run. Create tls universe with `ssl_protocols` and run.
Jenkins: rebase: 2.2

Reviewers: sanketh, arnav, bogdan, daniel, sb-yb

Reviewed By: sb-yb

Subscribers: yugaware, jenkins-bot

Differential Revision: https://phabricator.dev.yugabyte.com/D10600
WesleyW added a commit that referenced this issue Feb 11, 2021
@WesleyW
[Backport 2.4][#7196] Platform: Health check should use appropriate v…
eee7004 
…ersion of TLS

Summary:
If `ssl_protocols` is added to the tserver gflags, health checks should use the appropriate option
when trying to connect with the sample cqlsh command.

Test Plan:
Create tls universe with no gflags and run. Create tls universe with `ssl_protocols` and run.
Jenkins: rebase: 2.4

Reviewers: sanketh, arnav, bogdan, daniel, sb-yb

Reviewed By: sb-yb

Subscribers: yugaware, jenkins-bot

Differential Revision: https://phabricator.dev.yugabyte.com/D10599
@tylarb
Copy link
Contributor

tylarb commented Feb 12, 2021

A workaround to this is to set SSL_VERSION=TLSv1_2 in yugabyte users .bashrc on all data nodes.

@tylarb tylarb mentioned this issue Feb 12, 2021
Closed
WesleyW added a commit that referenced this issue Feb 12, 2021
@WesleyW
#7196: Health checks should default to TLSv1.2
f6f8ad6 
Summary:
D10596 introduced a bug where if ssl_protocols is not specified, the cqlsh check will error out by
trying to pass in None.

This diff fixes that by defaulting to TLSv1.2 and also allowing ssl_protocols flag to have more
than one value (e.g. "ssl2 ssl3,tls10 tls11")

Test Plan:
Create TLS universe without the flag. Try health check.
Create TLS universe with the flag set to "ssl2 ssl3,tls10 tls11". Try health check.

Reviewers: daniel, arnav, sanketh, sb-yb

Reviewed By: sb-yb

Subscribers: jenkins-bot, yugaware

Differential Revision: https://phabricator.dev.yugabyte.com/D10617
WesleyW added a commit that referenced this issue Feb 12, 2021
@WesleyW
[Backport 2.4][#7196] Platform: Health checks should default to TLSv1.2
b3a28e8 
Summary:
D10596 introduced a bug where if ssl_protocols is not specified, the cqlsh check will error out by
trying to pass in None.

This diff fixes that by defaulting to TLSv1.2 and also allowing ssl_protocols flag to have more
than one value (e.g. "ssl2 ssl3,tls10 tls11")

Test Plan:
Create TLS universe without the flag. Try health check.
Create TLS universe with the flag set to "ssl2 ssl3,tls10 tls11". Try health check.

Reviewers: daniel, arnav, sanketh, sb-yb

Reviewed By: sb-yb

Subscribers: yugaware, jenkins-bot

Differential Revision: https://phabricator.dev.yugabyte.com/D10620
WesleyW added a commit that referenced this issue Feb 12, 2021
@WesleyW
[Backport 2.2][#7196] Platform: Health checks should default to TLSv1.2
bbdfec0 
Summary:
D10596 introduced a bug where if ssl_protocols is not specified, the cqlsh check will error out by trying to pass in None.

This diff fixes that by defaulting to TLSv1.2 and also allowing ssl_protocols flag to have more
than one value (e.g. "ssl2 ssl3,tls10 tls11")

Test Plan:
Create TLS universe without the flag. Try health check.
Create TLS universe with the flag set to "ssl2 ssl3,tls10 tls11". Try health check.

Reviewers: daniel, arnav, sanketh, sb-yb

Reviewed By: sb-yb

Subscribers: yugaware, jenkins-bot

Differential Revision: https://phabricator.dev.yugabyte.com/D10621
polarweasel pushed a commit to lizayugabyte/yugabyte-db that referenced this issue Mar 9, 2021
@WesleyW
yugabyte#7196: Health check should use appropriate version of TLS
911a90f 
Summary:
If `ssl_protocols` is added to the tserver gflags, health checks should use the appropriate option
when trying to connect with the sample cqlsh command.

Test Plan: Create tls universe with no gflags and run. Create tls universe with `ssl_protocols` and run.

Reviewers: sanketh, arnav, bogdan, daniel, sb-yb

Reviewed By: sb-yb

Subscribers: jenkins-bot, yugaware

Differential Revision: https://phabricator.dev.yugabyte.com/D10596
polarweasel pushed a commit to lizayugabyte/yugabyte-db that referenced this issue Mar 9, 2021
@WesleyW
yugabyte#7196: Health checks should default to TLSv1.2
a938039 
Summary:
D10596 introduced a bug where if ssl_protocols is not specified, the cqlsh check will error out by
trying to pass in None.

This diff fixes that by defaulting to TLSv1.2 and also allowing ssl_protocols flag to have more
than one value (e.g. "ssl2 ssl3,tls10 tls11")

Test Plan:
Create TLS universe without the flag. Try health check.
Create TLS universe with the flag set to "ssl2 ssl3,tls10 tls11". Try health check.

Reviewers: daniel, arnav, sanketh, sb-yb

Reviewed By: sb-yb

Subscribers: jenkins-bot, yugaware

Differential Revision: https://phabricator.dev.yugabyte.com/D10617
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@WesleyW WesleyW

Labels
area/platform Yugabyte Platform priority/high High Priority
Projects
None yet
Milestone
2.5.x
Development

No branches or pull requests
3 participants
@WesleyW @tylarb @streddy-yb