TLS Handshake Error: "wrong version number" with --tls #4526
Comments
|
Hi @jahnavilatha589, thanks for reporting this. I will proceed with that and get back to you later |
|
@jahnavilatha589 do you succeed to connect to the instance? |
|
@romange , Yes.able to connect to instance |
|
so maybe it's bots scanning your open ports, trying to connect? is your connection accessible from the internet? |
|
@romange , No, Not accessible from the internet |
|
Now it's working. Instance receiving requests from Monitoring tool. Thank you. |
|
@BagritsevichStepan you are very quick :) but the logs will contain: which looks disturbing. We should tone down the logs or at least have better wording |
|
It wasn't me who closed the ticket 😄 |
|
Enabled TLS with flags --tls, --tls_key_file, --tls_cert_file, and tls_replication. Now replication stops working. LOGS in master : Is --tls_ca_cert_file mandatory flag for replication.? |
|
@kostasrim can you help please? |
how did you configure master and replica ? Plz place the exact |
|
Master : dragonfly.conf --tiered_prefix=storage/flash/flash start command : ./dragonfly --flagfile=dragonfly.conf --tls --tls_key_file=/certs/hypermem.key --tls_cert_file=/certs/hypermem.pem --requirepass=test --port=6380 --tls_replication Replica : dragonfly.conf --tiered_prefix=storage/flash/flash start command : ./dragonfly --flagfile=dragonfly.conf --tls --tls_key_file=/certs/hypermem.key --tls_cert_file=/certs/hypermem.pem --requirepass=test --port=6380 --tls_replication |
|
if |
|
^^ this |
|
@romange I wanted to add a configuration test (we only got replication with tls and @jahnavilatha589 for now plz use |
|
@kostasrim , Any ETA for this fix? |
|
@jahnavilatha589 it's fixed already, see the linked PR. It needs merge + release (or you can get our weekly build once it's merged) |
|
dragonfly.conf --tiered_prefix=storage/flash/flash start command : ./dragonfly --flagfile=dragonfly.conf --tls --tls_key_file=/certs/hypermem.key --tls_cert_file=/certs/hypermem.pem --tls_ca_cert_file=/certs/hypermem-trust.pem --requirepass=test --port=6380 --tls_replication redis-cli --insecure --tls -> Not working If i start dragonfly without tls_ca_cert_file then redis-cli --insecure --tls is working Could you please check on this? |
|
Hi @jahnavilatha589 you are misusing the flags. Why would this work ? You are configuring
Of course it's working, because now dragonfly is configured to not verify peer certificates which you do not supply to your client anyway. All in all,
|
|
Thank you @kostasrim . Now it's clear. I used a CA cert to enable tls_replication, but I don't want to authorize client connections using the CA cert. Is there a way to disable client connection authorize on the server side (in DragonflyDB)? |
yes, once my PR is merged you can pull a docker weekly/daily build. Until the fix gets merged you do need
You need some form of authorization, either with password or ca or both. |
I started Dragonfly with the flags --tls, --tls_key_file, and --tls_cert_file, but after the server starts, the following log message keeps appearing repeatedly.
W20250129 15:59:21.307173 1357310 dragonfly_connection.cc:696] Error handshaking error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Does DragonflyDB support specific TLS versions, and do I need to configure them explicitly?
The text was updated successfully, but these errors were encountered: