[
https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17092418#comment-17092418
]
Ekaterina Dimitrova edited comment on CASSANDRA-15262 at 4/25/20, 11:46 PM:
----------------------------------------------------------------------------
[~jolynch], just rebased and tried to start the server before running CI but
the following error appears when I try to Start Cassandra:
*_INFO [main] 2020-04-25 19:35:50,175 YamlConfigurationLoader.java:89 -
Configuration location:
file:/Users/ekaterina.dimitri/CASSANDRA-15262/cassandra/conf/cassandra.yaml
Exception (org.apache.cassandra.exceptions.ConfigurationException) encountered
during startup: Invalid yaml:
file:/Users/ekaterina.dimitri/CASSANDRA-15262/cassandra/conf/cassandra.yaml
Error: null; Can't construct a java object for
tag:yaml.org,2002:org.apache.cassandra.config.Config; exception=Cannot create
property=client_encryption_options for
JavaBean=org.apache.cassandra.config.Config@18078bef; Cannot create
property=enabled for
JavaBean=org.apache.cassandra.config.EncryptionOptions@ee7e1c03; Unable to find
property 'enabled' on class: org.apache.cassandra.config.EncryptionOptions; in
'reader', line 10, column 1:
cluster_name: 'Test Cluster'
^
That is because we still have it in config but we completely remove it from the
yaml. I just saw an old comment where you mention this issue and realized it
wasn't actually fixed on your branch. As you mentioned on Slack that only tests
are needed, I was wondering whether you have it already fixed (maybe locally?)
or I should take care of the issue?
I also checked whether we already have the tests as you mentioned on Slack that
it might be the case, but looks like there are some tests but not exactly what
we need.
was (Author: e.dimitrova):
[~jolynch], just rebased and tried to start the server before running CI but
the following error appears when I try to Start Cassandra:
*_INFO [main] 2020-04-25 19:35:50,175 YamlConfigurationLoader.java:89 -
Configuration location:
file:/Users/ekaterina.dimitri/CASSANDRA-15262/cassandra/conf/cassandra.yaml
Exception (org.apache.cassandra.exceptions.ConfigurationException) encountered
during startup: Invalid yaml:
file:/Users/ekaterina.dimitri/CASSANDRA-15262/cassandra/conf/cassandra.yaml
Error: null; Can't construct a java object for
tag:yaml.org,2002:org.apache.cassandra.config.Config; exception=Cannot create
property=client_encryption_options for
JavaBean=org.apache.cassandra.config.Config@18078bef; Cannot create
property=enabled for
JavaBean=org.apache.cassandra.config.EncryptionOptions@ee7e1c03; Unable to find
property 'enabled' on class: org.apache.cassandra.config.EncryptionOptions; in
'reader', line 10, column 1:
cluster_name: 'Test Cluster'
^
That is because we still have it in config but we completely remove it from the
yaml. I just saw an old comment where you mention this issue and realized it
wasn't actually fixed on your branch. As you mentioned on Slack that only tests
are needed, I was wondering whether you have it already fixed (maybe locally?)
or I should take care of the issue?
I also checked whether we already have the tests as you mentioned on Slack that
it might be the case, but looks like there are some tests but not exactly what
we need.
> server_encryption_options is not backwards compatible with 3.11
> ---------------------------------------------------------------
>
> Key: CASSANDRA-15262
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15262
> Project: Cassandra
> Issue Type: Bug
> Components: Local/Config
> Reporter: Joey Lynch
> Assignee: Joey Lynch
> Priority: Normal
> Fix For: 4.0, 4.0-alpha
>
>
> The current `server_encryption_options` configuration options are as follows:
> {noformat}
> server_encryption_options:
> # set to true for allowing secure incoming connections
> enabled: false
> # If enabled and optional are both set to true, encrypted and unencrypted
> connections are handled on the storage_port
> optional: false
> # if enabled, will open up an encrypted listening socket on
> ssl_storage_port. Should be used
> # during upgrade to 4.0; otherwise, set to false.
> enable_legacy_ssl_storage_port: false
> # on outbound connections, determine which type of peers to securely
> connect to. 'enabled' must be set to true.
> internode_encryption: none
> keystore: conf/.keystore
> keystore_password: cassandra
> truststore: conf/.truststore
> truststore_password: cassandra
> # More advanced defaults below:
> # protocol: TLS
> # store_type: JKS
> # cipher_suites:
> [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
> # require_client_auth: false
> # require_endpoint_verification: false
> {noformat}
> A couple of issues here:
> 1. optional defaults to false, which will break existing TLS configurations
> for (from what I can tell) no particularly good reason
> 2. The provided protocol and cipher suites are not good ideas (in particular
> encouraging anyone to use CBC ciphers is a bad plan
> I propose that before the 4.0 cut we fixup server_encryption_options and even
> client_encryption_options :
> # Change the default {{optional}} setting to true. As the new Netty code
> intelligently decides to open a TLS connection or not this is the more
> sensible default (saves operators a step while transitioning to TLS as well)
> # Update the defaults to what netty actually defaults to
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
