SSL in Casual Cluster

Hi There

Have set up stand alone server with self signed certificate while it works perfectly i'm able to access in Port 7473.

While i followed the same steps for casual cluster of 3 nodes , i'm able to start the 3 nodes
while they are failing to Elect the leader
while i check the debug logs it says that " SSL Handshake Exception."

Please help me to debug.

2019-05-10 10:34:06.723+0000 ERROR [o.n.c.p.h.HandshakeClientInitializer] Exception in inbound for channel: [id: 0xba66ef55, L:/172.XX.XX.XX:51216 ! R:ss-neoclusterc.gcp-npe.internal/172.17.136.176:7000] javax.net.ssl.SSLHandshakeException: General SSLEngine problem
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:656)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:591)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:508)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:470)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
	at java.lang.Thread.run(Thread.java:748)
	at org.neo4j.helpers.NamedThreadFactory$2.run(NamedThreadFactory.java:122)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:295)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1301)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1203)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1247)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
	... 16 more

Hi!

Can you post the relevant pieces of the neo4j.conf?
Did you set a causal_clustering policy or using legacy?
But if I had to guess...
set dbms.ssl.policy..client_auth=none

The HTTPS and Bolt servers do not support client authentication (a.k.a. mutual authentication )
see
https://neo4j.com/docs/operations-manual/current/security/ssl-framework/
and https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/#config_dbms.ssl.policy.-policyname-.client_auth

1 Like

Thanks for you response david !!

Below is my SSL configurations

bolt.ssl_policy=client
https.ssl_policy=client
causal_clustering.ssl_policy=cluster

dbms.ssl.policy.client.base_directory=/opt/neo4j-enterprise/certificates/client
dbms.ssl.policy.cluster.base_directory=/opt/neo4j-enterprise/certificates/cluster

dbms.ssl.policy.client.base_directory=/opt/neo4j-enterprise/certificates/client
dbms.ssl.policy.cluster.base_directory=/opt/neo4j-enterprise/certificates/cluster

dbms.ssl.policy.client.trust_all=false
dbms.ssl.policy.cluster.trust_all=false

dbms.ssl.policy.client.private_key=/opt/neo4j-enterprise/certificates/client/server.key
dbms.ssl.policy.cluster.private_key=/opt/neo4j-enterprise/certificates/cluster/server.key

dbms.ssl.policy.client.public_certificate=/opt/neo4j-enterprise/certificates/client/server.crt
dbms.ssl.policy.cluster.public_certificate=/opt/neo4j-enterprise/certificates/cluster/server.crt


dbms.ssl.policy.client.trusted_dir=/opt/neo4j-enterprise/certificates/client/trusted
dbms.ssl.policy.cluster.trusted_dir=/opt/neo4j-enterprise/certificates/cluster/trusted

dbms.ssl.policy.client.client_auth=require
dbms.ssl.policy.cluster.client_auth=require

I think i'm clearly making mistakes somewhere ...do i need to have the same certificates across the server ?? or i need keep the servers .CRT files in trust store of each other server ?

make that
dbms.ssl.policy.cluster.client_auth=none

I don't think the cert needs to be the same, in fact it is usually different unless you have a domain wildcard cert.
Yes you may need to but the cert into the trust store.

Hi David

it did work after setting parameter to

dbms.ssl.policy.cluster.client_auth=none/optional

Also added the .crt files to each others server's truststore.

However i'm not able to access the neo4j cluster on https port. how can i confirm my cluster is using the ssl encryption while communicating with each other ?

Thanks so much !!