Unable to connect to cluster with cqlsh, getting "TLSv1_3 is not a valid SSL protocol"

Question

Unable to connect cassandra 4.0.7 using cqlsh when cassandra is enabled for TLSv1.3. Datastax driver version is driver-3.25.0

./cqlsh --debug --ssl --cqlshrc /apache-cassandra/conf/cqlshrc <IP_ADDRESS> 9042
Using CQL driver: <module 'cassandra' from '/apache-cassandra/bin/../lib/cassandra-driver-internal-only-3.25.0.zip/cassandra-driver-3.25.0/cassandra/__init__.py'>
Using connect timeout: 5 seconds
Using 'utf-8' encoding
Using ssl: True
TLSv1_3 is not a valid SSL protocol, please use one of TLS, TLSv1_2, TLSv1_1, or TLSv1

Please note that all cassandra nodes are up and running , Also the application is running fine.

Answer 1

It looks like the version of cqlsh included with Cassandra 4.0.7 (cqlsh 6.0.0) does not support TLS 1.3. This is explicitly visible in the pylib/cqlshlib/sslhandling.py file in the get_best_tls_protocol method:

    if ssl_ver_str:
        return getattr(ssl, "PROTOCOL_%s" % ssl_ver_str, None)
    for protocol in ['PROTOCOL_TLS', 'PROTOCOL_TLSv1_2', 'PROTOCOL_TLSv1_1', 'PROTOCOL_TLSv1']:
        if hasattr(ssl, protocol):
            return getattr(ssl, protocol)
    return None

One approach here, would be set the version property in the [SSL] section of the cqlshrc file to "TLS":

[ssl]
version = TLS

But the better way is to just not set it. Either of these approaches will cause it to connect while negotiating the highest possible TLS version.

I recommend the latter, as the latest cqlsh version (6.1.0) included with Cassandra 4.1 displays a warning whenever that property is set, disregards its value, and auto-negotiates the TLS version.

Answer 2

Two years ago, some Java versions removed support for TLS v1.0 and v1.1 since they were no longer considered secure (JDK-8202343).

Following on from this move, a check was added to cqlsh to prefer newer TLS versions over older ones (CASSANDRA-16695). However, the change inadvertently didn't include TLS v1.3 as one of the versions.

In Cassandra 4.1, the TLS version-specific check was removed from cqlsh since the driver is able to auto-negotiate to the highest protocol version that both the client and server can support (CASSANDRA-17365).

As a workaround in Cassandra 4.0, do NOT specify a protocol version when connecting to a cluster so the Cassandra Python driver (embedded in cqlsh) will auto-negotiate to TLS v1.3 if the cluster supports it. Cheers!