[
https://issues.apache.org/jira/browse/CASSANDRA-11164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15145213#comment-15145213
]
Stefan Podkowinski commented on CASSANDRA-11164:
------------------------------------------------
bq. You need the filtering to ensure that you don't attempt to use an
unsupported cipher suite.
You should never have to pick a cipher. The TLS protocol will handle this
during
[handshake|https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake]
as part of the cipher suite negotiation. The client will offer a list of
supported ciphers that the server can choose from. The only reason you want to
manually filter ciphers is to avoid [downgrade
attacks|https://en.wikipedia.org/wiki/Downgrade_attack]. As SSL in Java 8 isn't
known to be vulnerable to such attacks, there's no point in manually filter
ciphers or protocols. Therefore I'd suggest to stick with CASSANDRA-10508.
> Order and filter cipher suites correctly
> ----------------------------------------
>
> Key: CASSANDRA-11164
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11164
> Project: Cassandra
> Issue Type: Bug
> Reporter: Tom Petracca
> Priority: Minor
> Fix For: 2.2.x
>
> Attachments: 11164-2.2.txt
>
>
> As pointed out in https://issues.apache.org/jira/browse/CASSANDRA-10508,
> SSLFactory.filterCipherSuites() doesn't respect the ordering of desired
> ciphers in cassandra.yaml.
> Also the fix that occurred for
> https://issues.apache.org/jira/browse/CASSANDRA-3278 is incomplete and needs
> to be applied to all locations where we create an SSLSocket so that JCE is
> not required out of the box or with additional configuration.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
