[ https://issues.apache.org/jira/browse/CASSANDRA-15980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17166046#comment-17166046 ]
Jon Meredith commented on CASSANDRA-15980: ------------------------------------------ Patch almost ready for submission, here are some sample log output lines. Example of SSL enabled messaging connections being established {code:java} INFO [Messaging-EventLoop-3-11] 2020-07-27 16:36:14,746 InboundConnectionInitiator.java:241 - connection from peer /127.0.0.1:62955 to /127.0.0.1:7000, protocol = TLSv1.2 INFO [Messaging-EventLoop-3-12] 2020-07-27 16:36:14,747 InboundConnectionInitiator.java:241 - connection from peer /127.0.0.1:62956 to /127.0.0.1:7000, protocol = TLSv1.2 INFO [Messaging-EventLoop-3-12] 2020-07-27 16:36:14,761 InboundConnectionInitiator.java:457 - 127.0.0.3:7000(127.0.0.1:62956)->127.0.0.1:7000-LARGE_MESSAGES-7dc6697c messaging connection established, version = 1 2, framing = CRC, encryption = enabled (factory=openssl;protocol=TLSv1.2;cipher=TLS_RSA_WITH_AES_256_CBC_SHA) INFO [Messaging-EventLoop-3-11] 2020-07-27 16:36:14,761 InboundConnectionInitiator.java:457 - 127.0.0.3:7000(127.0.0.1:62955)->127.0.0.1:7000-SMALL_MESSAGES-24cc4a4e messaging connection established, version = 12, framing = CRC, encryption = enabled (factory=openssl;protocol=TLSv1.2;cipher=TLS_RSA_WITH_AES_256_CBC_SHA) {code} And establishing streaming connections {code:java} INFO [Messaging-EventLoop-3-12] 2020-07-27 16:40:27,516 InboundConnectionInitiator.java:396 - 127.0.0.1:7000(127.0.0.3:63208)->127.0.0.3:7000-STREAMING-64b53f77 streaming connection established, version = 12, fr aming = UNPROTECTED, encryption = enabled (factory=openssl;protocol=TLSv1.2;cipher=TLS_RSA_WITH_AES_256_CBC_SHA) {code} > Improve log messages for socket connection/disconnection > -------------------------------------------------------- > > Key: CASSANDRA-15980 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15980 > Project: Cassandra > Issue Type: Bug > Components: Observability/Logging > Reporter: Jon Meredith > Assignee: Jon Meredith > Priority: Normal > Fix For: 4.0-beta > > > Logging for inbound SSL connections can take place before protocol > negotiation has taken place and logs a misleading cipher that could cause > problems for security auditing. > > > {code:java} > INFO 2020-07-03T13:57:58,380 [Messaging-EventLoop-3-1] > org.apache.cassandra.net.InboundConnectionInitiator:242 - connection from > peer /1.1.1.1:57899 to /2.2.2.2:7000, protocol = TLSv1.2, cipher suite = > SSL_NULL_WITH_NULL_NULL > {code} > > Instead Cassandra should log the connection & protocol, then once the cipher > has been negotiated log the agreed upon cipher. > > > If the inbound SSL connection does not present a client certificate, > Cassandra logs this error, even if the client wasn't required to. > {code:java} > ERROR 2020-07-14T11:58:45,925 [Native-Transport-Requests-1] > org.apache.cassandra.transport.ServerConnection:140 - Failed to get peer > certificates for peer /4.3.2.1:59263 > {code} > > Logging the absense of verified certificates should be a concern of the > SaslNegotiator if it requires it, and not something worth alerting the > operator for generally. Downgrade to debug message to make investigation > possible if needed. > > > Finally, to help with logging issues related to disconnection, add a log > statement when an instance decides it no longer needs to keep a gossip > connection open when cleaning up connections in > org.apache.cassandra.net.OutboundConnections.UnusedConnectionMonitor#closeUnusedSinceLastRun -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org