[ https://issues.apache.org/jira/browse/CASSANDRA-11164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15145213#comment-15145213 ]
Stefan Podkowinski commented on CASSANDRA-11164: ------------------------------------------------ bq. You need the filtering to ensure that you don't attempt to use an unsupported cipher suite. You should never have to pick a cipher. The TLS protocol will handle this during [handshake|https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake] as part of the cipher suite negotiation. The client will offer a list of supported ciphers that the server can choose from. The only reason you want to manually filter ciphers is to avoid [downgrade attacks|https://en.wikipedia.org/wiki/Downgrade_attack]. As SSL in Java 8 isn't known to be vulnerable to such attacks, there's no point in manually filter ciphers or protocols. Therefore I'd suggest to stick with CASSANDRA-10508. > Order and filter cipher suites correctly > ---------------------------------------- > > Key: CASSANDRA-11164 > URL: https://issues.apache.org/jira/browse/CASSANDRA-11164 > Project: Cassandra > Issue Type: Bug > Reporter: Tom Petracca > Priority: Minor > Fix For: 2.2.x > > Attachments: 11164-2.2.txt > > > As pointed out in https://issues.apache.org/jira/browse/CASSANDRA-10508, > SSLFactory.filterCipherSuites() doesn't respect the ordering of desired > ciphers in cassandra.yaml. > Also the fix that occurred for > https://issues.apache.org/jira/browse/CASSANDRA-3278 is incomplete and needs > to be applied to all locations where we create an SSLSocket so that JCE is > not required out of the box or with additional configuration. -- This message was sent by Atlassian JIRA (v6.3.4#6332)