Support Questions
Find answers, ask questions, and share your expertise

Disabling TLSv1 & TLS1.1 - Enabling TLSv1.2

Re: Disabling TLSv1 & TLS1.1 - Enabling TLSv1.2

Hi @Vipin Rathor

I looked up the bug as suggested below, although it's restricted for internal development.

For the record I have the following version of OpenSSL installed: 1.0.1e-fips

INFO 2017-08-29 17:09:51,722 security.py:93 - SSL Connect being called.. connecting to the server
ERROR 2017-08-29 17:09:51,725 Controller.py:456 - Unable to reconnect to https://xxx.xxx.xxx.xxx:8441/agent/v1/heartbeat/xxx.xxx.xxx.xxx (attempts=6, details=Request to https://xxx.xxx.xxx.xxx:8441/agent/v1/heartbeat/xxx.xxx.xxx.xxx failed due to EOF occurred in violation of protocol (_ssl.c:579))
INFO 2017-08-29 17:10:13,747 Controller.py:471 - Waiting 0.9 for next heartbeat
INFO 2017-08-29 17:10:14,648 Controller.py:478 - Wait for next heartbeat over
INFO 2017-08-29 17:10:14,651 NetUtil.py:70 - Connecting to https://xxx.xxx.xxx.xxx:8440/connection_info
ERROR 2017-08-29 17:10:14,657 NetUtil.py:96 - EOF occurred in violation of protocol (_ssl.c:579)
ERROR 2017-08-29 17:10:14,657 NetUtil.py:97 - SSLError: Failed to connect. Please check openssl library versions.
Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details.

Re: Disabling TLSv1 & TLS1.1 - Enabling TLSv1.2

Guru

Hello @L V,

Please make sure that Ambar Server is started with Oracle JDK and not any other JDK. Second, please make sure that all the Ambari agents are using Python 2.6 to start (this can be seen during Agent restart command). There have been some known issues around this which were fixed by using right JDK and right Python library.

Hope this helps !

Re: Disabling TLSv1 & TLS1.1 - Enabling TLSv1.2

Hi @Vipin Rathor

I can confirm that Ambari Server is starting with Java Oracle:

- Java(TM) SE Runtime Environment (build 1.8.0_131-b11)

- Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

Ambari agent on the other hand is using Python 2.7.X.

My OS is RHEL7, considering it is very similar to Centos 7..Hortonworks recommends v2.7
https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.1/bk_Installing_HDP_AMB/content/_software_req...

So should I downgrade or is the problem elsewhere?

Kind regards,

Re: Disabling TLSv1 & TLS1.1 - Enabling TLSv1.2

@Vipin Rathor

Turns out you need to explicitly force it in the /etc/amabri-agent/conf/ambari-agent.ini file.

Example:

[security]

force_https_protocol=PROTOCOL_TLSv1_2

https://community.hortonworks.com/questions/114808/ambari-agents-cannot-reach-ambari-server-after-ch...

Re: Disabling TLSv1 & TLS1.1 - Enabling TLSv1.2

Explorer

@Vipin Rathor I am facing the same issue of agents losing heartbeat, even though the version of ambari being used here is 2.5.0.

Please suggest.

Re: Disabling TLSv1 & TLS1.1 - Enabling TLSv1.2

Guru

@Neha Nirmal Have you tried using "force_https_protocol=PROTOCOL_TLSv1_2" in ambari-agent.ini?

Re: Disabling TLSv1 & TLS1.1 - Enabling TLSv1.2

Explorer

@Vipin Rathor

Yes, Added this property on one of the server that had agent file. Still it was also not able to communicate with the ambari-server.

Re: Disabling TLSv1 & TLS1.1 - Enabling TLSv1.2

I am also facing the same issue after updating "force_https_protocol=PROTOCOL_TLSv1_2" in ambari-agent.ini.

Agents are not communicating with server.