[
https://issues.apache.org/jira/browse/CASSANDRA-9590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14727870#comment-14727870
]
Robert Stupp commented on CASSANDRA-9590:
-----------------------------------------
Patch and tests look good so far.
Some notes:
* Can you add the option {{native_transport_port_ssl}} to
{{conf/cassandra.yaml}} (commented out, but with some words describing its
meaning and how it relates to {{native_transport_port}})? You can use {{9142}}
as the (commented out) standard port. Maybe also a note that it's beneficial to
install the _Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
Policy Files_?
* Let startup fail, if both {{native_transport_port}} and
{{native_transport_port_ssl}} are set but {{client_encryption_options}} is not
enabled. It is a configuration failure. At the moment it silently just not
starts SSL at all.
* The unit tests look good, but never start NetworkTransportService with SSL
enabled - but that's ok as there are dtests.
* dtests unfortunately don't work on my machine. Is the {{keystone.jks}} file
mentioned in the test source missing? (Ping me, if you need some logs or so.)
I tested the stuff manually using a self-signed cert with cqlsh and it works
(with JCE policy files).
> Support for both encrypted and unencrypted native transport connections
> -----------------------------------------------------------------------
>
> Key: CASSANDRA-9590
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9590
> Project: Cassandra
> Issue Type: Improvement
> Components: Core
> Reporter: Stefan Podkowinski
> Assignee: Stefan Podkowinski
> Fix For: 2.1.x
>
>
> Enabling encryption for native transport currently turns SSL exclusively on
> or off for the opened socket. Migrating from plain to encrypted requires to
> migrate all native clients as well and redeploy all of them at the same time
> after starting the SSL enabled Cassandra nodes.
> This patch would allow to start Cassandra with both an unencrypted and ssl
> enabled native port. Clients can connect to either, based whether they
> support ssl or not.
> This has been implemented by introducing a new {{native_transport_port_ssl}}
> config option.
> There would be three scenarios:
> * client encryption disabled, {{native_transport_port}} unencrypted,
> {{native_transport_port_ssl}} not used
> * client encryption enabled, {{native_transport_port_ssl}} not set,
> {{native_transport_port}} encrypted
> * client encryption enabled, {{native_transport_port_ssl}} set,
> {{native_transport_port}} unencrypted, {{native_transport_port_ssl}} encrypted
> This approach would keep configuration behavior fully backwards compatible.
> Patch proposal:
> [Branch|https://github.com/spodkowinski/cassandra/tree/cassandra-9590], [Diff
> cassandra-3.0|https://github.com/apache/cassandra/compare/cassandra-3.0...spodkowinski:cassandra-9590],
> [Patch against
> cassandra-3.0|https://github.com/apache/cassandra/compare/cassandra-3.0...spodkowinski:cassandra-9590.patch]
> DTest:
> [Branch|https://github.com/spodkowinski/cassandra-dtest/tree/cassandra-9590],
> [Diff
> master|https://github.com/riptano/cassandra-dtest/compare/master...spodkowinski:cassandra-9590]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
