[jira] [Commented] (HBASE-30212) Netty should allow every supported TLS ciphers by default

Hudson (Jira) Tue, 09 Jun 2026 12:26:21 -0700


    [ 
https://issues.apache.org/jira/browse/HBASE-30212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18087738#comment-18087738
 ]


Hudson commented on HBASE-30212:
--------------------------------

Results for branch master
        [build #50 on 
builds.a.o|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/master/50/]:
 (/) *{color:green}+1 overall{color}*
----
Backwards compatibility checks:
(/) {color:green}+1 jdk17 hadoop 3.3.5 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/master/50/console]


(/) {color:green}+1 jdk17 hadoop 3.3.6 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/master/50/console]


(/) {color:green}+1 jdk17 hadoop 3.4.0 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/master/50/console]


(/) {color:green}+1 jdk17 hadoop 3.4.1 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/master/50/console]


(/) {color:green}+1 jdk17 hadoop 3.4.2 backward compatibility checks{color}
-- For more information [see jdk17 
report|https://ci-hbase.apache.org/job/HBase-Backwards-Compatibility-Test/job/master/50/console]


> Netty should allow every supported TLS ciphers by default
> ---------------------------------------------------------
>
>                 Key: HBASE-30212
>                 URL: https://issues.apache.org/jira/browse/HBASE-30212
>             Project: HBase
>          Issue Type: Bug
>          Components: encryption
>            Reporter: Balazs Meszaros
>            Assignee: Balazs Meszaros
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 4.0.0-alpha-1, 3.0.0-beta-2
>
>
> Netty has an internal list of default ciphers which is different from the JRE 
> supported ciphers. When we set 
> {{hbase.rpc.tls.ciphersuites=TLS_CHACHA20_POLY1305_SHA256}} at the 
> server-side, clients won't be able to connect to HBase server afterwards, 
> because this cipher is not in Netty's default cipher list. This cipher is a 
> *mandatory* cipher suite for TLSv1.3.
> We should make the _default_ cipher list less strict at the client side.
> This is error message when we leave cipher list as the default at client side:
> {noformat}
> [RS-EventLoopGroup-1-2]: Connection /10.140.140.193:55120; caught unexpected 
> downstream exception.
> org.apache.hbase.thirdparty.io.netty.handler.codec.DecoderException: 
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:515)
>  ~[hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
>  ~[hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.handlerRemoved(ByteToMessageDecoder.java:270)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:553)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:484)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:805)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:501)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:399)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>  [hbase-shaded-netty-4.1.11.jar:?]
>       at java.lang.Thread.run(Thread.java:833) [?:?]
> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
>       at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
>       at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
>       at sun.security.ssl.TransportContext.fatal(TransportContext.java:358) 
> ~[?:?]
>       at sun.security.ssl.TransportContext.fatal(TransportContext.java:314) 
> ~[?:?]
>       at sun.security.ssl.TransportContext.fatal(TransportContext.java:305) 
> ~[?:?]
>       at 
> sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:539)
>  ~[?:?]
>       at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:440) ~[?:?]
>       at 
> sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1246)
>  ~[?:?]
>       at 
> sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1182)
>  ~[?:?]
>       at 
> sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:840)
>  ~[?:?]
>       at 
> sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:801)
>  ~[?:?]
>       at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
>       at 
> sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
>       at 
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
>  ~[?:?]
>       at 
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
>  ~[?:?]
>       at 
> java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
>       at 
> sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209) 
> ~[?:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695)
>  ~[hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541)
>  ~[hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1377)
>  ~[hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1428)
>  ~[hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:545)
>  ~[hbase-shaded-netty-4.1.11.jar:?]
>       at 
> org.apache.hbase.thirdparty.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:484)
>  ~[hbase-shaded-netty-4.1.11.jar:?]
>       ... 22 more
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (HBASE-30212) Netty should allow every supported TLS ciphers by default

Reply via email to