[ https://issues.apache.org/jira/browse/CASSANDRA-11405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Brown resolved CASSANDRA-11405. ------------------------------------- Resolution: Won't Fix > Server encryption cannot be enabled with the IBM JRE 1.7 > -------------------------------------------------------- > > Key: CASSANDRA-11405 > URL: https://issues.apache.org/jira/browse/CASSANDRA-11405 > Project: Cassandra > Issue Type: Bug > Components: Configuration > Environment: Linux, IBM JRE 1.7 > Reporter: Guillermo Vega-Toro > Fix For: 2.2.6 > > > When enabling server encryption with the IBM JRE (algorithm: IbmX509), an > IllegalArgumentException is thrown from the IBM JSSE when the server is > started: > ERROR 10:04:37,326 Exception encountered during startup > java.lang.IllegalArgumentException: SSLv2Hello > at com.ibm.jsse2.qb.a(qb.java:50) > at com.ibm.jsse2.pb.a(pb.java:101) > at com.ibm.jsse2.pb.<init>(pb.java:77) > at com.ibm.jsse2.oc.setEnabledProtocols(oc.java:77) > at > org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:64) > at > org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:425) > at > org.apache.cassandra.net.MessagingService.listen(MessagingService.java:409) > at > org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:693) > at > org.apache.cassandra.service.StorageService.initServer(StorageService.java:623) > at > org.apache.cassandra.service.StorageService.initServer(StorageService.java:515) > at > org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:437) > at > org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:567) > at > org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:656) > The problem is that the IBM JSSE does not support SSLv2Hello, but this > protocol is hard-coded in class org.apache.cassandra.security.SSLFactory: > public static final String[] ACCEPTED_PROTOCOLS = new String[] {"SSLv2Hello", > "TLSv1", "TLSv1.1", "TLSv1.2"}; > public static SSLServerSocket getServerSocket(EncryptionOptions options, > InetAddress address, int port) throws IOException > { > SSLContext ctx = createSSLContext(options, true); > SSLServerSocket serverSocket = > (SSLServerSocket)ctx.getServerSocketFactory().createServerSocket(); > serverSocket.setReuseAddress(true); > String[] suits = > filterCipherSuites(serverSocket.getSupportedCipherSuites(), > options.cipher_suites); > serverSocket.setEnabledCipherSuites(suits); > serverSocket.setNeedClientAuth(options.require_client_auth); > serverSocket.setEnabledProtocols(ACCEPTED_PROTOCOLS); > serverSocket.bind(new InetSocketAddress(address, port), 500); > return serverSocket; > } > This ACCEPTED_PROTOCOLS array should not be hard-coded. It should rather read > the protocols from configuration, or if the algorithm is IbmX509, simply do > not call setEnabledProtocols - with the IBM JSSE, the enabled protocol is > controlled by the protocol passed to SSLContext.getInstance. -- This message was sent by Atlassian JIRA (v6.3.4#6332)