Olav Grønås Gjerde
profile image
Full stack system architect with passion for Unix, Java, Python and databases.
Twitter @olavgg
3 weeks ago

Apache Pulsar and SSLHandshakeException: protocol_version

Today I was struggling with a weird issue. For some reason my Nginx server on Debian would only allow TLSv1.3. And Apache Pulsar use a slighty older version of AsyncHttpClient that only supported TLSv1.2 and older for OAuth2 token exchange.

This caused the protocol_version SSL exception when starting my Java clients that connects to Apache Pulsar using OAuth2 Authentication.

The fix is easy though: First analyze what SSL Ciphers and protocols your web server allows.

nmap --script ssl-enum-ciphers -p 443 192.168.1.10
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

No support for TLSv1.2, even though I have this configured in my virtual host:

server {
  listen 443 ssl http2;
  ....
  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_ciphers '......';
  ssl_prefer_server_ciphers  on;
    ....

Figuring this out was really frustrating, but the solution was simple. Debian does not provide a default 443 section, so you need to edit the file:

sudo vim /etc/nginx/sites-enabled/default

And add this to the bottom of the file:

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    ssl_certificate     ...
    ssl_certificate_key ...

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers '....';
    ssl_prefer_server_ciphers  on;
}

The result:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|     cipher preference: server
|_  least strength: A