[ https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17100511#comment-17100511 ]
Joey Lynch edited comment on CASSANDRA-15262 at 5/6/20, 6:38 AM: ----------------------------------------------------------------- Got a chance to look at this today, the first test failure was just because the default for client optional switched to true. The second failure was because I was still referencing the enabled logic in the server so we were not entering transitional mode. ||Cassandra Branch||Dtest Branch|| |[jolynch:CASSANDRA-15262|https://github.com/apache/cassandra/compare/trunk...jolynch:CASSANDRA-15262]|[jolynch:CASSANDRA_15262|https://github.com/apache/cassandra-dtest/commit/98c0be8789f1a016a1038bf3337c0fbbc8580bd6]| Running dtests now. I agree let's get this change just good enough so we can commit it and we can revisit the naming of optional and internode_encryption_options in 15146 in 4.0-beta. I think because we added optional in 4.0 we can rename it to like mode: <off, on, transitional> or something... We can figure out the naming in 15146. was (Author: jolynch): Got a chance to look at this today, the first test failure was just because the default for client optional switched to true. The second failure was because I was still referencing the enabled logic in the server so we were not entering transitional mode. ||Branch||Dtest Branch|| |[cassandra:CASSANDRA-15262|https://github.com/apache/cassandra/compare/trunk...jolynch:CASSANDRA-15262]|[dtest:CASSANDRA_15262|https://github.com/apache/cassandra-dtest/commit/98c0be8789f1a016a1038bf3337c0fbbc8580bd6]| Running dtests now. > server_encryption_options is not backwards compatible with 3.11 > --------------------------------------------------------------- > > Key: CASSANDRA-15262 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15262 > Project: Cassandra > Issue Type: Bug > Components: Local/Config > Reporter: Joey Lynch > Assignee: Joey Lynch > Priority: Normal > Fix For: 4.0, 4.0-alpha > > > The current `server_encryption_options` configuration options are as follows: > {noformat} > server_encryption_options: > # set to true for allowing secure incoming connections > enabled: false > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > enable_legacy_ssl_storage_port: false > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > keystore: conf/.keystore > keystore_password: cassandra > truststore: conf/.truststore > truststore_password: cassandra > # More advanced defaults below: > # protocol: TLS > # store_type: JKS > # cipher_suites: > [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] > # require_client_auth: false > # require_endpoint_verification: false > {noformat} > A couple of issues here: > 1. optional defaults to false, which will break existing TLS configurations > for (from what I can tell) no particularly good reason > 2. The provided protocol and cipher suites are not good ideas (in particular > encouraging anyone to use CBC ciphers is a bad plan > I propose that before the 4.0 cut we fixup server_encryption_options and even > client_encryption_options : > # Change the default {{optional}} setting to true. As the new Netty code > intelligently decides to open a TLS connection or not this is the more > sensible default (saves operators a step while transitioning to TLS as well) > # Update the defaults to what netty actually defaults to -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org