Andy Tolbert created CASSANDRA-18778: ----------------------------------------
Summary: Empty keystore_password no longer allowed on encryption_options Key: CASSANDRA-18778 URL: https://issues.apache.org/jira/browse/CASSANDRA-18778 Project: Cassandra Issue Type: Bug Components: Local/Config Reporter: Andy Tolbert Assignee: Andy Tolbert After CASSANDRA-18124 (introduced in 4.1.2 and 5.0) it is no longer possible to set an empty {{keystore_password}} under {{client_encryption_options}} or {{server_encryption_options}} using the default implementation {{{}DefaultSslContextFactory{}}}. While keytool does not allow generating keystores with empty passwords, it does support reading them. It is not uncommon to use PKCS12 certificates generated by other tools (eg. openssl) that do not enforce passwords. The fix for this should be pretty straightforward, which should involve changing [FileBasedSslContextFactory.validatePassword|https://github.com/apache/cassandra/blob/cassandra-4.1.2/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java#L128-L135] to only disallow null passwords (which would be consistent with previous versions). I will create pull requests against the relevant branches shortly. {noformat} Exception (org.apache.cassandra.exceptions.ConfigurationException) encountered during startup: Failed to initialize SSL org.apache.cassandra.exceptions.ConfigurationException: Failed to initialize SSL at org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1155) at org.apache.cassandra.config.DatabaseDescriptor.applyAll(DatabaseDescriptor.java:390) at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:204) at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:188) at org.apache.cassandra.service.CassandraDaemon.applyConfig(CassandraDaemon.java:804) at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:747) at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:875) Caused by: java.io.IOException: Failed to create SSL context using Native transport at org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:405) at org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1150) ... 6 more Caused by: java.lang.IllegalArgumentException: 'keystore_password' must be specified at org.apache.cassandra.security.FileBasedSslContextFactory.validatePassword(FileBasedSslContextFactory.java:133) at org.apache.cassandra.security.FileBasedSslContextFactory.buildKeyManagerFactory(FileBasedSslContextFactory.java:151) at org.apache.cassandra.security.AbstractSslContextFactory.createNettySslContext(AbstractSslContextFactory.java:181) at org.apache.cassandra.security.SSLFactory.createNettySslContext(SSLFactory.java:168) at org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:355) ... 7 more {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org