[ https://issues.apache.org/jira/browse/CASSANDRA-18778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756997#comment-17756997 ]
Andy Tolbert commented on CASSANDRA-18778: ------------------------------------------ (y) thanks, would appreciate additional eyes. I believe it may also be valid to pass a {{null}} password to {{KeyStore.load}} or {{{}KeyManagerFactory.init{}}}, but Cassandra 4.0 also disallows null {{keystore_password}} (but allows empty string) in config validation, so felt ok to keep doing the same for consistency: C* 4.0: {noformat} 2023-08-11 19:37:43,595 ERROR [main] org.apache.cassandra.service.CassandraDaemon - Exception encountered during startup: Invalid yaml. Those properties [keystore_password] are not valid {noformat} > Empty keystore_password no longer allowed on encryption_options > --------------------------------------------------------------- > > Key: CASSANDRA-18778 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18778 > Project: Cassandra > Issue Type: Bug > Components: Local/Config > Reporter: Andy Tolbert > Assignee: Andy Tolbert > Priority: Normal > Fix For: 4.1.x, 5.0.x > > > After CASSANDRA-18124 (introduced in 4.1.2 and 5.0) it is no longer possible > to set an empty {{keystore_password}} under {{client_encryption_options}} or > {{server_encryption_options}} using the default implementation > {{{}DefaultSslContextFactory{}}}. > While keytool does not allow generating keystores with empty passwords, it > does support reading them. It is not uncommon to use PKCS12 certificates > generated by other tools (eg. openssl) that do not enforce passwords. > The fix for this should be pretty straightforward, which should involve > changing > [FileBasedSslContextFactory.validatePassword|https://github.com/apache/cassandra/blob/cassandra-4.1.2/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java#L128-L135] > to only disallow null passwords (which would be consistent with previous > versions). I will create pull requests against the relevant branches shortly. > {noformat} > Exception (org.apache.cassandra.exceptions.ConfigurationException) > encountered during startup: Failed to initialize SSL > org.apache.cassandra.exceptions.ConfigurationException: Failed to initialize > SSL > at > org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1155) > at > org.apache.cassandra.config.DatabaseDescriptor.applyAll(DatabaseDescriptor.java:390) > at > org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:204) > at > org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:188) > at > org.apache.cassandra.service.CassandraDaemon.applyConfig(CassandraDaemon.java:804) > at > org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:747) > at > org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:875) > Caused by: java.io.IOException: Failed to create SSL context using Native > transport > at > org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:405) > at > org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1150) > ... 6 more > Caused by: java.lang.IllegalArgumentException: 'keystore_password' must be > specified > at > org.apache.cassandra.security.FileBasedSslContextFactory.validatePassword(FileBasedSslContextFactory.java:133) > at > org.apache.cassandra.security.FileBasedSslContextFactory.buildKeyManagerFactory(FileBasedSslContextFactory.java:151) > at > org.apache.cassandra.security.AbstractSslContextFactory.createNettySslContext(AbstractSslContextFactory.java:181) > at > org.apache.cassandra.security.SSLFactory.createNettySslContext(SSLFactory.java:168) > at > org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:355) > ... 7 more > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org