[jira] [Commented] (CASSANDRA-13325) Bring back the accepted encryption protocols list as configurable option

Tue, 01 Dec 2020 19:06:06 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-13325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17242011#comment-17242011
 ] 

David Capwell commented on CASSANDRA-13325:
-------------------------------------------

Left comments in GH, mostly LGTM.  The only real comment I had was about ref 
counting the ssl engine, so think this can be +1ed tomorrow once addressed.

> Bring back the accepted encryption protocols list as configurable option
> ------------------------------------------------------------------------
>
>                 Key: CASSANDRA-13325
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13325
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Local/Config
>            Reporter: Nachiket Patil
>            Assignee: Jon Meredith
>            Priority: Low
>             Fix For: 4.0-beta
>
>         Attachments: trunk.diff
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> With CASSANDRA-10508, the hard coded list of accepted encryption protocols 
> was eliminated. For some use cases, it is necessary to restrict the 
> encryption protocols used for communication between client and server. 
> Default JVM way of negotiations allows the best encryption protocol that 
> client can use. 
> e.g. I have set Cassandra to use encryption. Ideally client and server 
> negotiate to use best protocol (TLSv1.2). But a malicious client might force 
> TLSv1.0 which is susceptible to POODLE attacks.
> At the moment only way to restrict the encryption protocol is using the 
> {{jdk.tls.client.protocols}} systems property. If I dont have enough access 
> to modify this property, I dont have any way of restricting the encryption 
> protocols.
> I am proposing bring back the accepted_protocols property but make it 
> configurable. If not specified, let the JVM take care of the TLS negotiations.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to