[
https://issues.apache.org/jira/browse/CASSANDRA-17365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517630#comment-17517630
]
Stefan Miklosovic commented on CASSANDRA-17365:
-----------------------------------------------
I think it should be documented somewhere here (1) already but it is not there
yet and we are removing it but still, I would put there the version saying it
will be autonegotiated.
There is also doc/modules/cassandra/pages/tools/cqlsh.adoc but there is only
the reference to that cqlshrc sample hence I think covering it in cqlshrc
template would be enough.
You know what, just be sure the patch is working and done as agreed and I ll
take care of the rest, no worries. Just let me know. Thank you.
(1) https://github.com/apache/cassandra/blob/trunk/conf/cqlshrc.sample#L103-L113
> Remove deprecated version specific TLS in CQLSH
> -----------------------------------------------
>
> Key: CASSANDRA-17365
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17365
> Project: Cassandra
> Issue Type: Task
> Components: CQL/Interpreter
> Reporter: Brad Schoening
> Assignee: Brad Schoening
> Priority: Normal
> Fix For: 4.x
>
> Attachments: signature.asc
>
>
> According to [https://docs.python.org/3/library/ssl.html] use of explicit TLS
> versions v1, v1_1 and v1_2 has been deprecated in Python 3.6+ in favor of
> auto-negotiation of the highest protocol version that both the client and
> server support.
> * {{{}ssl.{}}}{{{}PROTOCOL_TLSv1{}}}
> * {{{}ssl.{}}}{{{}PROTOCOL_TLSv1_1{}}}
> * {{{}ssl.{}}}{{{}PROTOCOL_TLSv1_2{}}}
> The above are deprecated since version 3.6: OpenSSL has deprecated all
> version specific protocols.
> This affects cqlshlib/sslhandling.py and cqlshlib/test/test_sslhandling.py.
> And also config files test/config/
> {sslhandling.config, sslhandling_invalid.config}
>
> "NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL
> 3.0, TLS 1.0, and TLS 1.1 not be used"
> [https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF]
> The DataStax driver has addressed this in 3.25 with this update:
> Update security documentation and examples to use PROTOCOL_TLS (PYTHON-1264)
> [https://datastax-oss.atlassian.net/browse/PYTHON-1264]
> [https://github.com/datastax/python-driver/commit/8331eca6cc96d8bd3af2e37bc64693747515c2b6]
> This change will also remove the unit test class test_sslhandling.py which
> only tested version lookups and nothing else with ssl.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
