GemFire Pulse fails to load with 'javax.naming.CommunicationException .........Unsupported protocolTLSv1.2 TLSv1.3'
Article ID: 411027
Updated On:
Products
VMware Tanzu Data Suite
Issue/Introduction
Gemfire Pulse fails to load after a configuration change to accept both TLS 1.2 and TLS 1.3 versions and logs show the exception stack trace below.
FATAL o.a.g.t.p.i.d.JMXDataUpdater [qtp640736196-56] Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: Exception creating connection to: xxx.net; nested exception is:
java.io.IOException: Unsupported protocolTLSv1.2 TLSv1.3]
java.io.IOException: Failed to retrieve RMIServer stub:
…
Caused by: java.lang.IllegalArgumentException: Unsupported protocolTLSv1.2 TLSv1.3
Environment
Gemfire 10.1.3
Cause
The key line in the exception stack trace is 'Unsupported protocolTLSv1.2 TLSv1.3'
Possible causes for this error are:
- Incorrect configuration while listing multiple TLS versions. A common mistake is not ensuring that the entries are comma separated in the config files.
- Custom startup scripts can sometimes parse the configuration values incorrectly. For example, substituting spaces for commas.
Resolution
As stated in the documentation, while specifying ssl-protocols you can list them separately or use 'any' if permitted by the Security team.
As the doc states,
"ssl-protocols: A comma-separated list of the valid protocol versions for TCP/IP connections with TLS encryption enabled. A setting of ‘any’ attempts to use your JSSE provider’s TLSv1.3, or TLSv1.2 if v1.3 is not available."
For example, this would translate to,
JMX_MANAGER_SSL_PROTOCOLS=TLSv1.2,TLSv1.3, when connecting securely to Gemfire JMX Manager
and
CLUSTER_SSL_PROTOCOLS=TLSv1.2,TLSv1.3 for secure inter-cluster communication
Feedback
Yes
No
Powered by
