[ https://issues.apache.org/jira/browse/CASSANDRA-17367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17494822#comment-17494822 ]
Brandon Williams commented on CASSANDRA-17367: ---------------------------------------------- 4.0: [j8|https://app.circleci.com/pipelines/github/driftx/cassandra/372/workflows/79d13c71-76b0-4145-9871-bb9d47ee2ab2], [j11|https://app.circleci.com/pipelines/github/driftx/cassandra/372/workflows/12c899f4-0396-4c8b-bb3f-f35fc97f6b06] trunk: [j8|https://app.circleci.com/pipelines/github/driftx/cassandra/373/workflows/06936965-722e-43df-9a7b-7c17ff04a468], [j11|https://app.circleci.com/pipelines/github/driftx/cassandra/373/workflows/9d2fc929-37d5-4f77-b08a-ab1318e6ebc2] > sstableloader ignores streaming encryption settings > --------------------------------------------------- > > Key: CASSANDRA-17367 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17367 > Project: Cassandra > Issue Type: Bug > Components: Tool/bulk load > Reporter: Dmitry Potepalov > Assignee: Dmitry Potepalov > Priority: Normal > Fix For: 4.0.x, 4.x > > Attachments: 17367-4.0.txt, 17367-trunk.txt > > > Reproducible in Cassandra 4.x. If one configures encryption for streaming in > config yaml fed to sstableloader like this > {{server_encryption_options:}} > {{ internode_encryption: all}} > {{ keystore: sstableloader.keystore.p12}} > {{ keystore_password: changeit}} > {{ truststore: sstableloader.truststore.jks}} > {{ truststore_password: changeit}} > then sstableloader should perform an SSL handshake on the streaming > connections and encrypt the payload. But this does not happen. Judging by the > TCPdump of the outgoing traffic on the internode port, sstableloader sends > plaintext traffic. This is the TCP payload of the first packet that > sstableloader sends after establishing TCP connection: > {{ca 55 2d fa 0c 0c 0c 08 06 0a f0 01 f9 1b 58 a8 32 f2 d0}} > The first 4 bytes look like Cassandra protocol magic, not like a client hello. > I've discovered the issue while trying to migrate some data to a Cassandra 4 > listening on the legacy ssl storage port (therefore, accepting only encrypted > connections on that port). Streaming phase of the migration failed with a > "connection closed" error, which hints that the connection was closed > server-side. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org