We've setup a Pulsar 3.1.0 cluster with OIDC authentication. This works fine until we try to connect to a Keycloak instance that is restricted to only accepts TLSv1.3, then we get a fatal alert: protocol_version
error.
Debugging the TLS handshake, the initial communication goes well, with both ClientHello.extensions.supported_versions.versions
and ServerHello.extensions.supported_versions.selected_version
having TLSv1.3
as value.
The problem arises after the log says "org.apache.pulsar.functions.worker.Workerutils - Create Pulsar Admin to service ..." and the AsyncHttpClient
starts its TLS handshake.
The failing ClientHello has TLSv1.2 in ClientHello.extensions.supported_versions.versions
.
We've tried to set different Pulsar runtime options using PULSAR_EXTRA_OPTS to control protocol version but they don't seem to be honoured for that case. We've verified on the Pulsar server that the PULSAR_EXTRA_OPTS environment variables are set.
The runtime options we added to Pulsar were: PULSAR_EXTRA_OPTS="-Dhttps.protocols=TLSv1.3 -Dhttps.client.protocols=TLSv1.3 -Djdk.tls.client.protocols=TLSv1.3 -Djavax.net.debug=ssl:handshake"
Is it possible to force the TLS version in some other way or is it known problem with a potential workaround?
Unfortunately, we don't have the customers permission to share any logs.
Adding -Dorg.asynchttpclient.enabledProtocols=TLSv1.3
to PULSAR_EXTRA_OPTS
makes it work. Unfortunately this is undocumented.