1

Unable to connect cassandra 4.0.7 using cqlsh when cassandra is enabled for TLSv1.3. Datastax driver version is driver-3.25.0

./cqlsh --debug --ssl --cqlshrc /apache-cassandra/conf/cqlshrc <IP_ADDRESS> 9042
Using CQL driver: <module 'cassandra' from '/apache-cassandra/bin/../lib/cassandra-driver-internal-only-3.25.0.zip/cassandra-driver-3.25.0/cassandra/__init__.py'>
Using connect timeout: 5 seconds
Using 'utf-8' encoding
Using ssl: True
TLSv1_3 is not a valid SSL protocol, please use one of TLS, TLSv1_2, TLSv1_1, or TLSv1

Please note that all cassandra nodes are up and running , Also the application is running fine.

Erick Ramirez
  • 13,964
  • 1
  • 18
  • 23
kapil shewate
  • 21
  • 3
  • A friendly reminder that this site is for getting help with coding, algorithm, or programming language problems so I voted to have your post moved to [DBA Stack Exchange](https://dba.stackexchange.com/questions/ask?tags=cassandra). For future reference, you should post DB admin/ops questions on https://dba.stackexchange.com/questions/ask?tags=cassandra. Cheers! – Erick Ramirez Jun 22 '23 at 02:48

2 Answers2

1

It looks like the version of cqlsh included with Cassandra 4.0.7 (cqlsh 6.0.0) does not support TLS 1.3. This is explicitly visible in the pylib/cqlshlib/sslhandling.py file in the get_best_tls_protocol method:

    if ssl_ver_str:
        return getattr(ssl, "PROTOCOL_%s" % ssl_ver_str, None)
    for protocol in ['PROTOCOL_TLS', 'PROTOCOL_TLSv1_2', 'PROTOCOL_TLSv1_1', 'PROTOCOL_TLSv1']:
        if hasattr(ssl, protocol):
            return getattr(ssl, protocol)
    return None

One approach here, would be set the version property in the [SSL] section of the cqlshrc file to "TLS":

[ssl]
version = TLS

But the better way is to just not set it. Either of these approaches will cause it to connect while negotiating the highest possible TLS version.

I recommend the latter, as the latest cqlsh version (6.1.0) included with Cassandra 4.1 displays a warning whenever that property is set, disregards its value, and auto-negotiates the TLS version.

Aaron
  • 55,518
  • 11
  • 116
  • 132
1

Two years ago, some Java versions removed support for TLS v1.0 and v1.1 since they were no longer considered secure (JDK-8202343).

Following on from this move, a check was added to cqlsh to prefer newer TLS versions over older ones (CASSANDRA-16695). However, the change inadvertently didn't include TLS v1.3 as one of the versions.

In Cassandra 4.1, the TLS version-specific check was removed from cqlsh since the driver is able to auto-negotiate to the highest protocol version that both the client and server can support (CASSANDRA-17365).

As a workaround in Cassandra 4.0, do NOT specify a protocol version when connecting to a cluster so the Cassandra Python driver (embedded in cqlsh) will auto-negotiate to TLS v1.3 if the cluster supports it. Cheers!

Erick Ramirez
  • 13,964
  • 1
  • 18
  • 23