Kong tries to connect to the Cassandra Database using TLSv1 which was recently deprecated and removed from Java

[alexandrefilgueira]

Hi

So, we were debugging an issue we saw after refreshing our Cassandra docker images. We didn't know at that time, but we would get the latest update for Java8 which since April this year has TLSv1 and TLSv1.1 disabled by default.

When we restarted Kong, we noticed that Kong wasn't able to connect to the DB. We got SSL Handshake errors in Kong.

Logs in Cassandra showed us that a client (Kong) was trying to connect using TLSv1 and the server didn't support it.

We started then investigate how to tell Kong to use TLSv1.2 or 1.3.

We then found the configuration KONG_SSL_PROTOCOLS which we changed to only allow TLSv1.2 and TLSv1.3.

After restart Kong, same error in Cassandra, Kong is trying to connect with TLSv1.

We temporarily solved this by re-enabling TLSv1 in Java for the Cassandra container changing the java.security file. But of course this is just a workaround. We would like to configure Kong to use the right protocol version.

Are we looking at the wrong configuration? Is this a bug?

[dndx]

We have fixed something of similar nature for Postgres before (#6645). Could you provide the version number of Kong you are using and any customizations you may have inside kong.conf?

[alexandrefilgueira]

We use version 2.0.4. No special customization to kong.conf.

I was reading your other post. I tried setting KONG_NGINX_HTTP_LUA_SSL_PROTOCOLS but with the same error.

Do you think latest releases are built on top of a more up to date OpenSSL and that will fix it?