[
https://issues.apache.org/jira/browse/CASSANDRA-18681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17766996#comment-17766996
]
Dinesh Joshi commented on CASSANDRA-18681:
------------------------------------------
+1, thanks for the patch!
> Internode legacy SSL storage port certificate is not hot reloaded on update
> ---------------------------------------------------------------------------
>
> Key: CASSANDRA-18681
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18681
> Project: Cassandra
> Issue Type: Bug
> Components: Messaging/Internode
> Reporter: Jon Meredith
> Assignee: Jon Meredith
> Priority: Normal
>
> In CASSANDRA-16666 the SSLContext cache was changed to clear individual
> {{EncryptionOptions}} from the SslContext cache if they needed reloading to
> reduce resource consumption. Before the change if ANY cert needed hot
> reloading, the SSLContext cache would be cleared for ALL certs.
> If the legacy SSL storage port is configured, a new {{EncryptionOptions}}
> object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}}
> just for binding the socket, but never gets cleared as the change in port
> means it no longer matches the configuration retrieved from
> {{DatabaseDescriptor}} in
> {{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}.
> This is unlikely to be an issue in practice as the legacy SSL internode
> socket is only used in mixed version clusters with pre-4.0 nodes, so the cert
> only needs to stay valid until all nodes upgrade to 4.x or above.
> One way to avoid this class of failures is to just check the entries present
> in the SSLContext cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
