[jira] [Commented] (CASSANDRA-8751) C* should always listen to both ssl/non-ssl ports
[ https://issues.apache.org/jira/browse/CASSANDRA-8751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15395190#comment-15395190 ] Sylvain Lebresne commented on CASSANDRA-8751: - As [~timiblossom] hasn't given any update for a while, I'm not sure he's actively working on this. And, for what it's worth, no one else is currently working on this to my knowledge. This is an open-source project however and we welcome contributions. But I should mention that the 2.1 is only getting critical fixes at this point and 2.2 only bug fixes, so as this is an improvement, it will at best be committed to the 3.0 branch, if not the 3.x tick-tock one. > C* should always listen to both ssl/non-ssl ports > - > > Key: CASSANDRA-8751 > URL: https://issues.apache.org/jira/browse/CASSANDRA-8751 > Project: Cassandra > Issue Type: Improvement >Reporter: Minh Do >Assignee: Minh Do > Fix For: 3.x > > > Since there is always one thread dedicated on server socket listener and it > does not use much resource, we should always have these two listeners up no > matter what users set for internode_encryption. > The reason behind this is that we need to switch back and forth between > different internode_encryption modes and we need C* servers to keep running > in transient state or during mode switching. Currently this is not possible. > For example, we have a internode_encryption=dc cluster in a multi-region AWS > environment and want to set internode_encryption=all by rolling restart C* > nodes. However, the node with internode_encryption=all does not open to > listen to non-ssl port. As a result, we have a splitted brain cluster here. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CASSANDRA-8751) C* should always listen to both ssl/non-ssl ports
[ https://issues.apache.org/jira/browse/CASSANDRA-8751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15394398#comment-15394398 ] sai k potturi commented on CASSANDRA-8751: -- When will we have this available? We have not been able to enable SSL for our cluster because of the split-brain scenario mentioned. We are currently on 2.1.12 vesrion. > C* should always listen to both ssl/non-ssl ports > - > > Key: CASSANDRA-8751 > URL: https://issues.apache.org/jira/browse/CASSANDRA-8751 > Project: Cassandra > Issue Type: Improvement >Reporter: Minh Do >Assignee: Minh Do >Priority: Critical > Fix For: 3.x > > > Since there is always one thread dedicated on server socket listener and it > does not use much resource, we should always have these two listeners up no > matter what users set for internode_encryption. > The reason behind this is that we need to switch back and forth between > different internode_encryption modes and we need C* servers to keep running > in transient state or during mode switching. Currently this is not possible. > For example, we have a internode_encryption=dc cluster in a multi-region AWS > environment and want to set internode_encryption=all by rolling restart C* > nodes. However, the node with internode_encryption=all does not open to > listen to non-ssl port. As a result, we have a splitted brain cluster here. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CASSANDRA-8751) C* should always listen to both ssl/non-ssl ports
[ https://issues.apache.org/jira/browse/CASSANDRA-8751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14994460#comment-14994460 ] Robert Stupp commented on CASSANDRA-8751: - It is possible to accept both SSL and non-SSL traffic using the same server socket as done in CASSANDRA-10559. Could be easily done with CASSANDRA-8457 in the same way as CASSANDRA-10559 but maybe with some additional checks that _for example_ enforce encrypted and maybe certificate authenticated for intra-DC traffic. > C* should always listen to both ssl/non-ssl ports > - > > Key: CASSANDRA-8751 > URL: https://issues.apache.org/jira/browse/CASSANDRA-8751 > Project: Cassandra > Issue Type: Improvement >Reporter: Minh Do >Assignee: Minh Do >Priority: Critical > Fix For: 3.x > > > Since there is always one thread dedicated on server socket listener and it > does not use much resource, we should always have these two listeners up no > matter what users set for internode_encryption. > The reason behind this is that we need to switch back and forth between > different internode_encryption modes and we need C* servers to keep running > in transient state or during mode switching. Currently this is not possible. > For example, we have a internode_encryption=dc cluster in a multi-region AWS > environment and want to set internode_encryption=all by rolling restart C* > nodes. However, the node with internode_encryption=all does not open to > listen to non-ssl port. As a result, we have a splitted brain cluster here. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CASSANDRA-8751) C* should always listen to both ssl/non-ssl ports
[ https://issues.apache.org/jira/browse/CASSANDRA-8751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14337232#comment-14337232 ] Mike Adamson commented on CASSANDRA-8751: - TLS is a transport level protocol and is initiated on top of an unencrypted connection. It would be possible using that to run both encrypted and unencrypted sessions on the same port. C* should always listen to both ssl/non-ssl ports - Key: CASSANDRA-8751 URL: https://issues.apache.org/jira/browse/CASSANDRA-8751 Project: Cassandra Issue Type: Improvement Components: Core Reporter: Minh Do Assignee: Minh Do Priority: Critical Since there is always one thread dedicated on server socket listener and it does not use much resource, we should always have these two listeners up no matter what users set for internode_encryption. The reason behind this is that we need to switch back and forth between different internode_encryption modes and we need C* servers to keep running in transient state or during mode switching. Currently this is not possible. For example, we have a internode_encryption=dc cluster in a multi-region AWS environment and want to set internode_encryption=all by rolling restart C* nodes. However, the node with internode_encryption=all does not open to listen to non-ssl port. As a result, we have a splitted brain cluster here. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CASSANDRA-8751) C* should always listen to both ssl/non-ssl ports
[ https://issues.apache.org/jira/browse/CASSANDRA-8751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14335507#comment-14335507 ] Minh Do commented on CASSANDRA-8751: TLS/SSL socket by design only processes secured or encrypted messages. How can we use this one TLS/SSL socket to process both plain-text and encrypted messages simultaneously? I don't think we can get away from this. C* should always listen to both ssl/non-ssl ports - Key: CASSANDRA-8751 URL: https://issues.apache.org/jira/browse/CASSANDRA-8751 Project: Cassandra Issue Type: Improvement Components: Core Reporter: Minh Do Assignee: Minh Do Priority: Critical Since there is always one thread dedicated on server socket listener and it does not use much resource, we should always have these two listeners up no matter what users set for internode_encryption. The reason behind this is that we need to switch back and forth between different internode_encryption modes and we need C* servers to keep running in transient state or during mode switching. Currently this is not possible. For example, we have a internode_encryption=dc cluster in a multi-region AWS environment and want to set internode_encryption=all by rolling restart C* nodes. However, the node with internode_encryption=all does not open to listen to non-ssl port. As a result, we have a splitted brain cluster here. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (CASSANDRA-8751) C* should always listen to both ssl/non-ssl ports
[ https://issues.apache.org/jira/browse/CASSANDRA-8751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14322714#comment-14322714 ] Mike Adamson commented on CASSANDRA-8751: - Why not have a single socket supporting TLS. The socket could / would then support encrypted and unencrypted connections.This could be controlled by configuration as to whether unencrypted connections are allowed. C* should always listen to both ssl/non-ssl ports - Key: CASSANDRA-8751 URL: https://issues.apache.org/jira/browse/CASSANDRA-8751 Project: Cassandra Issue Type: Improvement Components: Core Reporter: Minh Do Assignee: Minh Do Priority: Critical Since there is always one thread dedicated on server socket listener and it does not use much resource, we should always have these two listeners up no matter what users set for internode_encryption. The reason behind this is that we need to switch back and forth between different internode_encryption modes and we need C* servers to keep running in transient state or during mode switching. Currently this is not possible. For example, we have a internode_encryption=dc cluster in a multi-region AWS environment and want to set internode_encryption=all by rolling restart C* nodes. However, the node with internode_encryption=all does not open to listen to non-ssl port. As a result, we have a splitted brain cluster here. -- This message was sent by Atlassian JIRA (v6.3.4#6332)