[ https://issues.apache.org/jira/browse/CASSANDRA-13325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17233896#comment-17233896 ]
Jon Meredith commented on CASSANDRA-13325: ------------------------------------------ Thanks for the review, pushed up a commit picking up the SSLFactory simplification and added the missing {{@Test}}s. > Bring back the accepted encryption protocols list as configurable option > ------------------------------------------------------------------------ > > Key: CASSANDRA-13325 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13325 > Project: Cassandra > Issue Type: Improvement > Components: Local/Config > Reporter: Nachiket Patil > Assignee: Jon Meredith > Priority: Low > Fix For: 4.0-beta > > Attachments: trunk.diff > > Time Spent: 40m > Remaining Estimate: 0h > > With CASSANDRA-10508, the hard coded list of accepted encryption protocols > was eliminated. For some use cases, it is necessary to restrict the > encryption protocols used for communication between client and server. > Default JVM way of negotiations allows the best encryption protocol that > client can use. > e.g. I have set Cassandra to use encryption. Ideally client and server > negotiate to use best protocol (TLSv1.2). But a malicious client might force > TLSv1.0 which is susceptible to POODLE attacks. > At the moment only way to restrict the encryption protocol is using the > {{jdk.tls.client.protocols}} systems property. If I dont have enough access > to modify this property, I dont have any way of restricting the encryption > protocols. > I am proposing bring back the accepted_protocols property but make it > configurable. If not specified, let the JVM take care of the TLS negotiations. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org