[jira] [Commented] (CASSANDRA-18681) Internode legacy SSL storage port certificate is not hot reloaded on update

Fri, 15 Sep 2023 16:53:06 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17765882#comment-17765882
 ] 

Jon Meredith commented on CASSANDRA-18681:
------------------------------------------

4.1 [Branch|https://github.com/jonmeredith/cassandra/tree/C18681-4.1] 
[PR|https://github.com/apache/cassandra/pull/2693]
5.0 [Branch|https://github.com/jonmeredith/cassandra/tree/C18681-5.0] 
[PR|https://github.com/apache/cassandra/pull/2694]
Trunk [Branch|https://github.com/jonmeredith/cassandra/tree/C18681-trunk] 
[PR|https://github.com/apache/cassandra/pull/2695]

CI Results (pending):
||Branch||Source||Circle CI||Jenkins||
|cassandra-4.1|[branch|https://github.com/jonmeredith/cassandra/tree/commit_remote_branch/CASSANDRA-18681-cassandra-4.1-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|https://app.circleci.com/pipelines/github/jonmeredith/cassandra?branch=commit_remote_branch%2FCASSANDRA-18681-cassandra-4.1-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|https://ci-cassandra.apache.org/job/Cassandra-devbranch/2595/]|
|cassandra-5.0|[branch|https://github.com/jonmeredith/cassandra/tree/commit_remote_branch/CASSANDRA-18681-cassandra-5.0-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|https://app.circleci.com/pipelines/github/jonmeredith/cassandra?branch=commit_remote_branch%2FCASSANDRA-18681-cassandra-5.0-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|https://ci-cassandra.apache.org/job/Cassandra-devbranch/2596/]|
|trunk|[branch|https://github.com/jonmeredith/cassandra/tree/commit_remote_branch/CASSANDRA-18681-trunk-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|https://app.circleci.com/pipelines/github/jonmeredith/cassandra?branch=commit_remote_branch%2FCASSANDRA-18681-trunk-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|unknown]|


> Internode legacy SSL storage port certificate is not hot reloaded on update
> ---------------------------------------------------------------------------
>
>                 Key: CASSANDRA-18681
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18681
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Messaging/Internode
>            Reporter: Jon Meredith
>            Assignee: Jon Meredith
>            Priority: Normal
>
> In CASSANDRA-16666 the SSLContext cache was changed to clear individual 
> {{EncryptionOptions}} from the SslContext cache if they needed reloading to 
> reduce resource consumption. Before the change if ANY cert needed hot 
> reloading, the SSLContext cache would be cleared for ALL certs.
> If the legacy SSL storage port is configured, a new {{EncryptionOptions}} 
> object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}} 
> just for binding the socket, but never gets cleared as the change in port 
> means it no longer matches the configuration retrieved from 
> {{DatabaseDescriptor}} in 
> {{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}.
> This is unlikely to be an issue in practice as the legacy SSL internode 
> socket is only used in mixed version clusters with pre-4.0 nodes, so the cert 
> only needs to stay valid until all nodes upgrade to 4.x or above.
> One way to avoid this class of failures is to just check the entries present 
> in the SSLContext cache.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to