[ https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17135305#comment-17135305 ]
Joey Lynch edited comment on CASSANDRA-15262 at 6/14/20, 11:53 PM: ------------------------------------------------------------------- I didn't make any server changes on 2.2 or 3.0, I was only running them to check that my dtest change still works with them. If neither native_transport_ssl_test nor sslnodetonode_test fail against 2.2 or 3.0 I think we are good. I've rebased, cleaned up the patches per the commit guidelines and staged the server and dtest patches for commit: ||Repo||Branch||Commit|| |Cassandra|[CASSANDRA-15262-final|https://github.com/apache/cassandra/compare/trunk...jolynch:CASSANDRA-15262-final]|[08520aa3|https://github.com/apache/cassandra/commit/08520aa39aa3e884dae2f13652fa98d315371a1e]| |Dtest|[CASSANDRA_15262|https://github.com/apache/cassandra-dtest/compare/master...jolynch:CASSANDRA-15262]|[11ac60df|https://github.com/jolynch/cassandra-dtest/commit/11ac60df9497c6f9ea277aad42b465117a43b8c8]| Testing in progress: * [Trunk - Java 8 Tests|https://app.circleci.com/pipelines/github/jolynch/cassandra/20/workflows/db3d061a-7c5f-4811-bae9-f7469386cc2b] * [Trunk - Java 11 Tests|https://app.circleci.com/pipelines/github/jolynch/cassandra/20/workflows/9d6c3b86-6207-4ead-aa4b-79022fc84182] * [2.2 - Tests|https://app.circleci.com/pipelines/github/jolynch/cassandra/21/workflows/c441a44a-9c0b-4035-812b-46385c5ce626] * [3.0 - Tests|https://app.circleci.com/pipelines/github/jolynch/cassandra/22/workflows/10b2afed-cabb-4d4d-a599-4ce3fffac719] was (Author: jolynch): I didn't make any server changes on 2.2 or 3.0, I was only running them to check that my dtest change still works with them. If neither native_transport_ssl_test nor sslnodetonode_test fail against 2.2 or 3.0 I think we are good. I've rebased, cleaned up the patches per the commit guidelines and staged the server and dtest patches for commit: ||Repo||Branch||Commit|| |Cassandra|[CASSANDRA-15262-final|https://github.com/apache/cassandra/compare/trunk...jolynch:CASSANDRA-15262-final]|[08520aa3|https://github.com/apache/cassandra/commit/08520aa39aa3e884dae2f13652fa98d315371a1e]| |Dtest|[jolynch:CASSANDRA_15262|https://github.com/apache/cassandra-dtest/compare/master...jolynch:CASSANDRA-15262]|[11ac60df|https://github.com/jolynch/cassandra-dtest/commit/11ac60df9497c6f9ea277aad42b465117a43b8c8]| Testing in progress: * [Trunk - Java 8 Tests|https://app.circleci.com/pipelines/github/jolynch/cassandra/20/workflows/db3d061a-7c5f-4811-bae9-f7469386cc2b] * [Trunk - Java 11 Tests|https://app.circleci.com/pipelines/github/jolynch/cassandra/20/workflows/9d6c3b86-6207-4ead-aa4b-79022fc84182] * [2.2 - Tests|https://app.circleci.com/pipelines/github/jolynch/cassandra/21/workflows/c441a44a-9c0b-4035-812b-46385c5ce626] * [3.0 - Tests|https://app.circleci.com/pipelines/github/jolynch/cassandra/22/workflows/10b2afed-cabb-4d4d-a599-4ce3fffac719] > server_encryption_options is not backwards compatible with 3.11 > --------------------------------------------------------------- > > Key: CASSANDRA-15262 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15262 > Project: Cassandra > Issue Type: Bug > Components: Local/Config > Reporter: Joey Lynch > Assignee: Joey Lynch > Priority: Normal > Fix For: 4.0, 4.0-alpha > > > The current `server_encryption_options` configuration options are as follows: > {noformat} > server_encryption_options: > # set to true for allowing secure incoming connections > enabled: false > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > enable_legacy_ssl_storage_port: false > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > keystore: conf/.keystore > keystore_password: cassandra > truststore: conf/.truststore > truststore_password: cassandra > # More advanced defaults below: > # protocol: TLS > # store_type: JKS > # cipher_suites: > [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] > # require_client_auth: false > # require_endpoint_verification: false > {noformat} > A couple of issues here: > 1. optional defaults to false, which will break existing TLS configurations > for (from what I can tell) no particularly good reason > 2. The provided protocol and cipher suites are not good ideas (in particular > encouraging anyone to use CBC ciphers is a bad plan > I propose that before the 4.0 cut we fixup server_encryption_options and even > client_encryption_options : > # Change the default {{optional}} setting to true. As the new Netty code > intelligently decides to open a TLS connection or not this is the more > sensible default (saves operators a step while transitioning to TLS as well) > # Update the defaults to what netty actually defaults to -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org