[jira] [Commented] (CASSANDRA-10404) Node to Node encryption transitional mode

Thu, 19 Oct 2017 15:39:40 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-10404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16211875#comment-16211875
 ] 

Jason Brown commented on CASSANDRA-10404:
-----------------------------------------

bq. [~spo...@gmail.com]: Would it make sense to fallback to 
SystemKeyspace.getReleaseVersion(ep)

This makes a lot of sense. Will add that in.

bq.  [~spo...@gmail.com] I've pushed a commit here that will honor the 
require_endpoint_verification flag for incoming connections.

Oops, yeah, looks like I missed adding adding the hostname check on the 
optional-tls path. thanks!

bq. we should also enable require_client_auth by default?

I agree with [~eperott] and [~KurtG] that this is a nice goal, but we should 
not make it default. @stefan, perhaps send out a [DISCUSS] email to user@/dev@ 
and see if there's some reasonable support for it and we can do it, but I'd 
prefer not to add more behavior to this ticket.

bq. [~eperott] I did some manual verification on these patch sets using mixed 
major versions with SSL enabled. With good results.

I love this, thanks for giving it a test run.

bq. [~eperott]  I would prefer to keep 
OutboundConnectionIdentifier.withUpdatedRemotePort() next to 
withNewConnectionAddress()

makes sense

bq. [~eperott] If optional: true, then the legacy ssl_storage_port will also 
accept non-secured connections

Good catch - will fix

Thanks all. I'll have an updated branch with these changes (and anything else 
since my last version) in a day or so.



> Node to Node encryption transitional mode
> -----------------------------------------
>
>                 Key: CASSANDRA-10404
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-10404
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Tom Lewis
>            Assignee: Jason Brown
>             Fix For: 4.x
>
>
> Create a transitional mode for encryption that allows encrypted and 
> unencrypted traffic node-to-node during a change over to encryption from 
> unencrypted. This alleviates downtime during the switch.
>  This is similar to CASSANDRA-10559 which is intended for client-to-node



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to