DataStax Help Center

Unable to use SSL with java 7 on latest Ubuntu

Brief Description

There is a known issue when enabling ssl encryption on clusters running java 7 and versions of ubuntu with the latest security updates. Specifically, an issue has been discovered when OpsCenter attempts to connect to an SSL enabled DSE server (client to node encryption). The solution is to upgrade any affected clusters to java 8. 


Ubuntu has released a security update to all of it's current releases to address some known SSL related security exploits. The ubuntu security notes are here:

This security update will prevent openssl from allowing keys smaller than 1024 bytes for security reasons. Java 7 defaults to a key size of 768 which causes ssl handshakes to fail. This issue is known to affect OpsCenter and may possibly manifest itself in other areas as well. 

In OpsCenter, the bug will cause the following errors to display in each log:


2016-05-06 15:01:51+0000 [wk_dev] WARN: HTTP request failed: [<twisted.python.failure.Failure <class 'OpenSSL.SSL.Error'>>]
2016-05-06 15:01:51+0000 [wk_dev] ERROR: Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/opscenterd/", line 3530, in ServicesController
AgentRequestFailure: Failed query to : [<twisted.python.failure.Failure <class 'OpenSSL.SSL.Error'>>]


WARN [qtp1011149982-127934] 2016-05-06 15:00:00,099 Received fatal alert: handshake_failure


This bug should only affect users who meet the following requirements:

  • Running agents with Java 7
  • Running DSE 4.6/4.7/4.8
  • Running Ubuntu
  • Have applied the ubuntu security patches from May 2016
  • Have client to node encryption enabled

If you fall into this category, the workaround is to upgrade the version of java the agents are using to java 8. If you are on any release newer than 4.6.5, DSE will support java 8 and it can be upgraded across the system for both DSE and agents. If you are on a release before 4.6.5 or are uncomfortable upgrading the version of java DSE is using, you can install java 8 separately and use that only for agents without changing DSE. Instructions for pointing agents at a specific java install are here:


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Powered by Zendesk