[ https://issues.apache.org/jira/browse/CASSANDRA-9590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14727870#comment-14727870 ]
Robert Stupp commented on CASSANDRA-9590: ----------------------------------------- Patch and tests look good so far. Some notes: * Can you add the option {{native_transport_port_ssl}} to {{conf/cassandra.yaml}} (commented out, but with some words describing its meaning and how it relates to {{native_transport_port}})? You can use {{9142}} as the (commented out) standard port. Maybe also a note that it's beneficial to install the _Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files_? * Let startup fail, if both {{native_transport_port}} and {{native_transport_port_ssl}} are set but {{client_encryption_options}} is not enabled. It is a configuration failure. At the moment it silently just not starts SSL at all. * The unit tests look good, but never start NetworkTransportService with SSL enabled - but that's ok as there are dtests. * dtests unfortunately don't work on my machine. Is the {{keystone.jks}} file mentioned in the test source missing? (Ping me, if you need some logs or so.) I tested the stuff manually using a self-signed cert with cqlsh and it works (with JCE policy files). > Support for both encrypted and unencrypted native transport connections > ----------------------------------------------------------------------- > > Key: CASSANDRA-9590 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9590 > Project: Cassandra > Issue Type: Improvement > Components: Core > Reporter: Stefan Podkowinski > Assignee: Stefan Podkowinski > Fix For: 2.1.x > > > Enabling encryption for native transport currently turns SSL exclusively on > or off for the opened socket. Migrating from plain to encrypted requires to > migrate all native clients as well and redeploy all of them at the same time > after starting the SSL enabled Cassandra nodes. > This patch would allow to start Cassandra with both an unencrypted and ssl > enabled native port. Clients can connect to either, based whether they > support ssl or not. > This has been implemented by introducing a new {{native_transport_port_ssl}} > config option. > There would be three scenarios: > * client encryption disabled, {{native_transport_port}} unencrypted, > {{native_transport_port_ssl}} not used > * client encryption enabled, {{native_transport_port_ssl}} not set, > {{native_transport_port}} encrypted > * client encryption enabled, {{native_transport_port_ssl}} set, > {{native_transport_port}} unencrypted, {{native_transport_port_ssl}} encrypted > This approach would keep configuration behavior fully backwards compatible. > Patch proposal: > [Branch|https://github.com/spodkowinski/cassandra/tree/cassandra-9590], [Diff > cassandra-3.0|https://github.com/apache/cassandra/compare/cassandra-3.0...spodkowinski:cassandra-9590], > [Patch against > cassandra-3.0|https://github.com/apache/cassandra/compare/cassandra-3.0...spodkowinski:cassandra-9590.patch] > DTest: > [Branch|https://github.com/spodkowinski/cassandra-dtest/tree/cassandra-9590], > [Diff > master|https://github.com/riptano/cassandra-dtest/compare/master...spodkowinski:cassandra-9590] -- This message was sent by Atlassian JIRA (v6.3.4#6332)