[jira] [Created] (HBASE-30212) Netty should allow every supported TLS ciphers by default

Balazs Meszaros (Jira) Tue, 09 Jun 2026 01:23:07 -0700

Balazs Meszaros created HBASE-30212:
---------------------------------------


             Summary: Netty should allow every supported TLS ciphers by default
                 Key: HBASE-30212
                 URL: https://issues.apache.org/jira/browse/HBASE-30212
             Project: HBase
          Issue Type: Bug
          Components: encryption
            Reporter: Balazs Meszaros
            Assignee: Balazs Meszaros


Netty has an internal list of default ciphers which is different from the JRE 
supported ciphers. When we set 
{{hbase.rpc.tls.ciphersuites=TLS_CHACHA20_POLY1305_SHA256}} at the server-side, 
clients won't be able to connect to HBase server afterwards, because this 
cipher is not in Netty's default cipher list. This cipher is *mandatory* cipher 
suite for TLSv1.3.

We should make the _default_ cipher list less strict.

{noformat}
[RS-EventLoopGroup-1-2]: Connection /10.140.140.193:55120; caught unexpected 
downstream exception.
org.apache.hbase.thirdparty.io.netty.handler.codec.DecoderException: 
javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at 
org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:515)
 ~[hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
 ~[hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.handlerRemoved(ByteToMessageDecoder.java:270)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:553)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:484)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:805)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:501)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:399)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
 [hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
 [hbase-shaded-netty-4.1.11.jar:?]
        at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
        at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:358) 
~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:314) 
~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:305) 
~[?:?]
        at 
sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:539)
 ~[?:?]
        at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:440) ~[?:?]
        at 
sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1246)
 ~[?:?]
        at 
sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1182)
 ~[?:?]
        at 
sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:840)
 ~[?:?]
        at 
sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:801) 
~[?:?]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
        at 
sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
        at 
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
 ~[?:?]
        at 
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
 ~[?:?]
        at 
java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
        at 
sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209) ~[?:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695)
 ~[hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541)
 ~[hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377)
 ~[hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428)
 ~[hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:545)
 ~[hbase-shaded-netty-4.1.11.jar:?]
        at 
org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:484)
 ~[hbase-shaded-netty-4.1.11.jar:?]
        ... 22 more
{noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HBASE-30212) Netty should allow every supported TLS ciphers by default

Reply via email to