[
https://issues.apache.org/jira/browse/CASSANDRA-17367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17496485#comment-17496485
]
Berenguer Blasi commented on CASSANDRA-17367:
---------------------------------------------
I _think_ (and [~brandon.williams] can correct me) there were problems in the
past about connecting without SSL to a node configured with SSL. Like we had to
support both ways, which is why the test doesn't originally connect to the SSL
port? I would leave the original test as it was and add yours as a new test
method. Otherwise we'd need to also fix the other test in the class which
doesn't use the SSL port either. On top of that the original test is using
legacy sstables and now we'd be removing that which is suspicious.
I think it might be safer to just add your test as a new one, but I may be just
imagining things in my bad memory, so I'll defer to [~brandon.williams] to see
if he knows better?
> sstableloader ignores streaming encryption settings
> ---------------------------------------------------
>
> Key: CASSANDRA-17367
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17367
> Project: Cassandra
> Issue Type: Bug
> Components: Tool/bulk load
> Reporter: Dmitry Potepalov
> Assignee: Dmitry Potepalov
> Priority: Normal
> Fix For: 4.0.x, 4.x
>
> Attachments: 17367-4.0.txt, 17367-trunk.txt
>
>
> Reproducible in Cassandra 4.x. If one configures encryption for streaming in
> config yaml fed to sstableloader like this
> {{server_encryption_options:}}
> {{ internode_encryption: all}}
> {{ keystore: sstableloader.keystore.p12}}
> {{ keystore_password: changeit}}
> {{ truststore: sstableloader.truststore.jks}}
> {{ truststore_password: changeit}}
> then sstableloader should perform an SSL handshake on the streaming
> connections and encrypt the payload. But this does not happen. Judging by the
> TCPdump of the outgoing traffic on the internode port, sstableloader sends
> plaintext traffic. This is the TCP payload of the first packet that
> sstableloader sends after establishing TCP connection:
> {{ca 55 2d fa 0c 0c 0c 08 06 0a f0 01 f9 1b 58 a8 32 f2 d0}}
> The first 4 bytes look like Cassandra protocol magic, not like a client hello.
> I've discovered the issue while trying to migrate some data to a Cassandra 4
> listening on the legacy ssl storage port (therefore, accepting only encrypted
> connections on that port). Streaming phase of the migration failed with a
> "connection closed" error, which hints that the connection was closed
> server-side.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
