[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13158789#comment-13158789 ]
Brandon Williams commented on CASSANDRA-3278: --------------------------------------------- This looks good, but one minor nit: instead of cipherSuites in the yaml can we use the more idiomatic 'cipher_suites'? > SSLFactory should not enable cipher suites that aren't supported > ---------------------------------------------------------------- > > Key: CASSANDRA-3278 > URL: https://issues.apache.org/jira/browse/CASSANDRA-3278 > Project: Cassandra > Issue Type: Bug > Components: Core > Affects Versions: 0.8.0 > Environment: OpenJDK on debian squeeze > Reporter: George > Assignee: Vijay > Priority: Minor > Fix For: 1.0.5 > > Attachments: 0001-commiting-filter-for-supported-suits.patch, > 0002-commiting-changes-to-make-the-ks-ts-more-flexible.patch, > 0003-expose-the-available-options-in-yaml.patch, cassandra-3278-cache.txt, > cassandra-3278-nocache.txt > > > The socket creation (server or otherwise) in SSLFactory.java calls > [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] > with the values specified in EncryptionOptions.java: > {code} > public String[] cipherSuites = { > "TLS_RSA_WITH_AES_128_CBC_SHA", > "TLS_RSA_WITH_AES_256_CBC_SHA" > }; > {code} > The call to > [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] > fails on systems that don't have [Java Cryptography Extension (JCE) > Unlimited Strength Jurisdiction Policy Files > 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] > because AES256 is not supported. > To avoid installing the unlimited strength policy file the code in > SSLFactory.java should call > [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] > to find out which of the suites specified are supported. > Thanks, > George -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira