[jira] [Commented] (CASSANDRA-17365) Remove deprecated version specific TLS in CQLSH

Tue, 05 Apr 2022 03:20:05 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517358#comment-17517358
 ] 

Stefan Miklosovic commented on CASSANDRA-17365:
-----------------------------------------------

[~brandon.williams] this makes sense to me to do, do you agree? I am not sure 
if we should upgrade Python first and the remove it or vice versa but it seems 
like we can already do it as of now in 3.6 and current version driver. 

I am just thinking .... do not we want to somehow force the tls version used? 
Even for debugging purposes? Do we want to autonegotiate?

> Remove deprecated version specific TLS in CQLSH
> -----------------------------------------------
>
>                 Key: CASSANDRA-17365
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17365
>             Project: Cassandra
>          Issue Type: Task
>          Components: CQL/Interpreter
>            Reporter: Brad Schoening
>            Assignee: Brad Schoening
>            Priority: Normal
>             Fix For: 4.x
>
>
> According to [https://docs.python.org/3/library/ssl.html] use of explicit TLS 
> versions v1, v1_1 and v1_2 has been deprecated in Python 3.6+ in favor of 
> auto-negotiation of the highest protocol version that both the client and 
> server support.
>  * {{{}ssl.{}}}{{{}PROTOCOL_TLSv1{}}}
>  * {{{}ssl.{}}}{{{}PROTOCOL_TLSv1_1{}}}
>  * {{{}ssl.{}}}{{{}PROTOCOL_TLSv1_2{}}}
> The above are deprecated since version 3.6: OpenSSL has deprecated all 
> version specific protocols.
> This affects cqlshlib/sslhandling.py and cqlshlib/test/test_sslhandling.py. 
> And also config files test/config/
> {sslhandling.config, sslhandling_invalid.config}
>  
> "NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 
> 3.0, TLS 1.0, and TLS 1.1 not be used"
> [https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF]
> The DataStax driver has addressed this in 3.25 with this update:
> Update security documentation and examples to use PROTOCOL_TLS (PYTHON-1264)
> [https://datastax-oss.atlassian.net/browse/PYTHON-1264]
> [https://github.com/datastax/python-driver/commit/8331eca6cc96d8bd3af2e37bc64693747515c2b6]
> This change will also remove the unit test class test_sslhandling.py which 
> only tested version lookups and nothing else with ssl.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to