Joseph Lynch created CASSANDRA-15262: ----------------------------------------
Summary: server_encryption_options is not backwards compatible with 3.11 Key: CASSANDRA-15262 URL: https://issues.apache.org/jira/browse/CASSANDRA-15262 Project: Cassandra Issue Type: Bug Components: Local/Config Reporter: Joseph Lynch Assignee: Joseph Lynch The current `server_encryption_options` configuration options are as follows: {noformat} server_encryption_options: # set to true for allowing secure incoming connections enabled: false # If enabled and optional are both set to true, encrypted and unencrypted connections are handled on the storage_port optional: false # if enabled, will open up an encrypted listening socket on ssl_storage_port. Should be used # during upgrade to 4.0; otherwise, set to false. enable_legacy_ssl_storage_port: false # on outbound connections, determine which type of peers to securely connect to. 'enabled' must be set to true. internode_encryption: none keystore: conf/.keystore keystore_password: cassandra truststore: conf/.truststore truststore_password: cassandra # More advanced defaults below: # protocol: TLS # store_type: JKS # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] # require_client_auth: false # require_endpoint_verification: false {noformat} A couple of issues here: 1. optional defaults to false, which will break existing TLS configurations for (from what I can tell) no particularly good reason 2. The provided protocol and cipher suites are not good ideas (in particular encouraging anyone to use CBC ciphers is a bad plan I propose that before the 4.0 cut we fixup server_encryption_options and even client_encryption_options : # Change the default {{optional}} setting to true. As the new Netty code intelligently decides to open a TLS connection or not this is the more sensible default (saves operators a step while transitioning to TLS as well) # Update the defaults to what netty actually defaults to -- This message was sent by Atlassian JIRA (v7.6.14#76016) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org