[jira] [Updated] (CASSANDRA-17367) sstableloader ignores streaming encryption settings

Fri, 18 Feb 2022 05:03:04 -0800 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-17367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dmitry Potepalov updated CASSANDRA-17367:
-----------------------------------------
    Status: Patch Available  (was: Open)

> sstableloader ignores streaming encryption settings
> ---------------------------------------------------
>
>                 Key: CASSANDRA-17367
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17367
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Tool/bulk load
>            Reporter: Dmitry Potepalov
>            Assignee: Dmitry Potepalov
>            Priority: Normal
>             Fix For: 4.0.x, 4.x
>
>         Attachments: 17367-4.0.txt, 17367-trunk.txt
>
>
> Reproducible in Cassandra 4.x. If one configures encryption for streaming in 
> config yaml fed to sstableloader like this
> {{server_encryption_options:}}
> {{    internode_encryption: all}}
> {{    keystore: sstableloader.keystore.p12}}
> {{    keystore_password: changeit}}
> {{    truststore: sstableloader.truststore.jks}}
> {{    truststore_password: changeit}}
> then sstableloader should perform an SSL handshake on the streaming 
> connections and encrypt the payload. But this does not happen. Judging by the 
> TCPdump of the outgoing traffic on the internode port, sstableloader sends 
> plaintext traffic. This is the TCP payload of the first packet that 
> sstableloader sends after establishing TCP connection:
> {{ca 55 2d fa 0c 0c 0c 08 06 0a f0 01 f9 1b 58 a8 32 f2 d0}}
> The first 4 bytes look like Cassandra protocol magic, not like a client hello.
> I've discovered the issue while trying to migrate some data to a Cassandra 4 
> listening on the legacy ssl storage port (therefore, accepting only encrypted 
> connections on that port). Streaming phase of the migration failed with a 
> "connection closed" error, which hints that the connection was closed 
> server-side.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to