[ https://issues.apache.org/jira/browse/CASSANDRA-18681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17766996#comment-17766996 ]
Dinesh Joshi commented on CASSANDRA-18681: ------------------------------------------ +1, thanks for the patch! > Internode legacy SSL storage port certificate is not hot reloaded on update > --------------------------------------------------------------------------- > > Key: CASSANDRA-18681 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18681 > Project: Cassandra > Issue Type: Bug > Components: Messaging/Internode > Reporter: Jon Meredith > Assignee: Jon Meredith > Priority: Normal > > In CASSANDRA-16666 the SSLContext cache was changed to clear individual > {{EncryptionOptions}} from the SslContext cache if they needed reloading to > reduce resource consumption. Before the change if ANY cert needed hot > reloading, the SSLContext cache would be cleared for ALL certs. > If the legacy SSL storage port is configured, a new {{EncryptionOptions}} > object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}} > just for binding the socket, but never gets cleared as the change in port > means it no longer matches the configuration retrieved from > {{DatabaseDescriptor}} in > {{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}. > This is unlikely to be an issue in practice as the legacy SSL internode > socket is only used in mixed version clusters with pre-4.0 nodes, so the cert > only needs to stay valid until all nodes upgrade to 4.x or above. > One way to avoid this class of failures is to just check the entries present > in the SSLContext cache. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org