[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17713218#comment-17713218
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

Thank you both [~smiklosovic] and [~maedhroz] 

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 5.0, 4.1.2
>
>  Time Spent: 11h 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Caleb Rackliffe (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17712667#comment-17712667
 ] 

Caleb Rackliffe commented on CASSANDRA-18124:
-

+1

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 10h 40m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Stefan Miklosovic (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17712659#comment-17712659
 ] 

Stefan Miklosovic commented on CASSANDRA-18124:
---

4.1 j8 pre-commit 
https://app.circleci.com/pipelines/github/instaclustr/cassandra/2079/workflows/1b38f1ca-83c2-4670-91fd-1d438974deef
4.1 j11 pre-commit 
https://app.circleci.com/pipelines/github/instaclustr/cassandra/2079/workflows/8c42e4dc-06f8-4d9e-acc5-a6fb7dc27800

trunk j8 pre-commit 
https://app.circleci.com/pipelines/github/instaclustr/cassandra/2080/workflows/f02a1089-b95f-4284-895d-73fbdbc63f8c
trunk j11 pre-commit 
https://app.circleci.com/pipelines/github/instaclustr/cassandra/2080/workflows/a560d634-2596-4954-8486-87764efaee0d

all failing tests are known / are flaky

4.1 branch / commit 
https://github.com/instaclustr/cassandra/commit/bd49f6ff265c8bfa64bf140328ae6736dc4a87bd
trunk branch / commit 
https://github.com/instaclustr/cassandra/commit/c67b8691e0e32ad9133a5295bc2f9d756dd0541c

I just took what was there from Maulin and squashed it and rebased.

[~maedhroz] I am +1, are you too? I have to ask!

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 10h 40m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17711601#comment-17711601
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

[~smiklosovic] I prepared the backport for this ticket for 4.1 branch. Please 
review [this PR-2273|https://github.com/apache/cassandra/pull/2273]

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 7h 20m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17711098#comment-17711098
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

Will prepare 4.1 patch and picked-up Caleb's suggestions on the NEWS.txt. Now I 
guess one comment left to be resolved.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 7h 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Caleb Rackliffe (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17711047#comment-17711047
 ] 

Caleb Rackliffe commented on CASSANDRA-18124:
-

Added a couple last comments to the PR. Let me know if those make sense...

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 7h
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Stefan Miklosovic (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17710439#comment-17710439
 ] 

Stefan Miklosovic commented on CASSANDRA-18124:
---

[~maulin.vasavada] it would be great if you prepared the patch for 4.1 as well.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 6h 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17710349#comment-17710349
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

[~smiklosovic] Finally I got my IntelliJ 2023 working! Let me know if you want 
me to backport to 4.1. 

 

[~maedhroz] I added a note in the NEWS.txt, please review and see if you have 
any comments.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 6h 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Stefan Miklosovic (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17710308#comment-17710308
 ] 

Stefan Miklosovic commented on CASSANDRA-18124:
---

I tried to backport it here 
https://github.com/instaclustr/cassandra/commit/943bf9824387e60a5a30745508d6b8a869e5607e

I ll build it soonish. Could you go through that if you have 10 mins?

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 5h 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17710307#comment-17710307
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

[~maedhroz] I'll modify the NEWS.txt as per the PR suggestion. I got distracted 
due to 2023 IntelliJ forced update that killed my workspace (still broken) but 
the NEWS.txt change doesn't depend on my workspace's stability so I can make it 
separately.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 5h 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17710306#comment-17710306
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

[~smiklosovic] This might have conflict with 4.1 because the trunk's 
compilation on examples/ssl-factory was broken and originally you fixed it in 
your branch and I picked up the same changes in my PR. I made sure in my PR I 
have a separate commit just to fix that compilation issue on the trunk to 
clearly see what was needed for that vs my actual intended changes for this 
ticket.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 5h 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Stefan Miklosovic (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17710275#comment-17710275
 ] 

Stefan Miklosovic commented on CASSANDRA-18124:
---

[~maulin.vasavada] is this applicable to 4.1? I was trying to cherry-pick that 
but it I was getting conflicts. Was there something done in trunk since 4.1 so 
this is not nicely applicable to 4.1?

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 5h 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Caleb Rackliffe (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17710213#comment-17710213
 ] 

Caleb Rackliffe commented on CASSANDRA-18124:
-

Does this still need a committer?

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 5h 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Caleb Rackliffe (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17708973#comment-17708973
 ] 

Caleb Rackliffe commented on CASSANDRA-18124:
-

+1 (w/ some minor conversations to wrap up in the PR)

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 3h 50m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Tibor Repasi (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707509#comment-17707509
 ] 

Tibor Repasi commented on CASSANDRA-18124:
--

LGTM, thank you.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Stefan Miklosovic (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707335#comment-17707335
 ] 

Stefan Miklosovic commented on CASSANDRA-18124:
---

j8 precommit looks good 
https://app.circleci.com/pipelines/github/instaclustr/cassandra/2043/workflows/058d0781-13f9-45f0-9343-b6b84d6f4485

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707072#comment-17707072
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

Hi [~rtib] Please confirm with the latest PR if the changes look good based on 
your testing. [~smiklosovic] I've resolved your comment on the PR, let me know 
if you want me to start the circleCI or you would kick it off. Thanks

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Stefan Miklosovic (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17706571#comment-17706571
 ] 

Stefan Miklosovic commented on CASSANDRA-18124:
---

Thank you for your perseverance, [~maulin.vasavada]. I may take a look. We 
still need the second reviewer / committer, though. I ll ask around.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17706569#comment-17706569
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

Hi [~rtib] and [~smiklosovic] I made changes suggested above and on the PR for 
the formatting fix. Raised a new PR, since I wanted to make sure I can see the 
formatting changes clearly. Can you please test/review 
[https://github.com/apache/cassandra/pull/2253] ? Thanks.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Tibor Repasi (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17704487#comment-17704487
 ] 

Tibor Repasi commented on CASSANDRA-18124:
--

My opinion concerning the warnings is, that your approach of changing the 
warning logic is fine and the only suitable way for 4.1.x.

In 5.x however, the legacy configuration parameter should be removed, along 
with the whole code to generate these warnings. But that's a different issue 
and I don't know about a ticket for that.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 1h
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17704370#comment-17704370
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

Thanks [~rtib] for the review. I can update the cassandra yaml to have the PEM 
example in comments. Also I'll try to check on the Nodetool output. I fixed the 
issue of getting truststore warning for the PEM and made truststore password 
also nullable but this warning I need to check. Earlier it came because of 
defaults and the fallback of `key_password` to `keystore_password` in the 
absence of the prior, now it could be the same reason. Meanwhile [~smiklosovic] 
can we get any additional PR reviews to have more eyes on this ?

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Tibor Repasi (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17703974#comment-17703974
 ] 

Tibor Repasi commented on CASSANDRA-18124:
--

One minor issue: nodetool is complaining about configuration
{code}
% bin/nodetool stopdaemon
WARN  08:50:50,063 Only 20,213GiB free across all data volumes. Consider adding 
more capacity to your cluster or removing obsolete snapshots
WARN  08:50:50,566 'keystore_password' and 'key_password' both are configured 
but since the values match it's okay. Ideally you should only specify one of 
them.
WARN  08:50:50,567 'keystore_password' and 'key_password' both are configured 
but since the values match it's okay. Ideally you should only specify one of 
them.
Cassandra has shutdown.
{code}


> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Tibor Repasi (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17703956#comment-17703956
 ] 

Tibor Repasi commented on CASSANDRA-18124:
--

I've tested it, looks good. I haven't tested with intermediate CA certificates 
for now, but that wasn't the issue either.

One small suggestion: currently the configuration example can only be found on 
the website, would you mind to put configuration examples using 
PEMBasedSslContextFactory into the comments of cassandra.yaml? That would lower 
the setup threshold.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Tibor Repasi (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17703578#comment-17703578
 ] 

Tibor Repasi commented on CASSANDRA-18124:
--

Sorry for the delay, I was busy the last few days. Of course, I'll have a look 
and test it.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Stefan Miklosovic (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17702124#comment-17702124
 ] 

Stefan Miklosovic commented on CASSANDRA-18124:
---

Thank you very much, [~maulin.vasavada]!

[~rtib] do you have any capacity to try the above pull request and verify it 
all works for you as well?

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17699885#comment-17699885
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

[~smiklosovic] Here you go with [a 
PR|https://github.com/instaclustr/cassandra/pull/49] on the 
instaclustr/cassandra. Let us review that and I can start porting those changes 
to 4.1/trunk on apache/cassandra.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17699821#comment-17699821
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

Sure, soon enough. I was on instaclustr branch (inherited from the other 
issue's discussion). I can quickly raise a PR there while I work on the 4.1 
patch as per Brandon's suggestion.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Stefan Miklosovic (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17699582#comment-17699582
 ] 

Stefan Miklosovic commented on CASSANDRA-18124:
---

I guess the second approach is fine. Hard to tell without having the code to 
see the changes. Would you mind to prepare a PR for your 2nd idea?

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17699145#comment-17699145
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

So far it looks like 1st option is more convoluted. 2nd option is much cleaner 
and simple changes. If we fail to provide `keystore_password` for the JKS, it 
will fail with the new changes (throws NPE since the 
FileBasedSslContextFactory.java) doesn't expect null for the password. I can 
add validation in the FileBasedSslContextFactory for the null keystore password 
to avoid NPE.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17699105#comment-17699105
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

Thanks [~brandon.williams] . [~smiklosovic] While modifying the code to allow 
null password configuration for the PEM I am running into a challenge that we 
have a logic to fallback to `keystore_password` configuration in case 
`key_password` configuration (created for the PEM). Due to that fallback logic 
we have to change default for the `keystore_password` also to be null 
(specifically in EncryptionOptions.java). I think we have two options-
 # Drop the fallback logic reading the `keystore_password` in case of PEM keys.
 ## This fallback logic was done primarily to support a use-case for PEM keys 
provided in a file with existing `keystore` configuration in which case it also 
makes sense to continue read the key password from the 
`keystore_password`configuration.
 # Make `keystore_password` nullable configuration which means removing the 
default value injected by EncryptionOptions.java
 ## I think we can make this nullable since practically operators might not 
have JKS keystores with the passwords except for a missed-configuration 
use-case AND for PEM it makes perfect sense to allow null password for the 
unencrypted keys.
 ## However, since we are changing the default for an older configuration, we 
have to give more thoughts on its effect on existing systems.

Let me see what 2nd option entails (in terms of tests etc) while you provide 
you thoughts on this.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Francisco Guerrero (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17698670#comment-17698670
 ] 

Francisco Guerrero commented on CASSANDRA-18124:


Thanks [~maulin.vasavada]. I won't be able to get to this for at least a couple 
of weeks.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Brandon Williams (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17698669#comment-17698669
 ] 

Brandon Williams commented on CASSANDRA-18124:
--

I think you should base this patch off of trunk, regardless of other tickets.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17698661#comment-17698661
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

One question- Since the trunk was broken for example/ssl-factory, what should 
be the base I. can use to build for this if the trunk is still broken?

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17698660#comment-17698660
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

[~smiklosovic] I'll take this. Sorry last couple of weeks has been crazy.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Assignee: Maulin Vasavada
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Stefan Miklosovic (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17698301#comment-17698301
 ] 

Stefan Miklosovic commented on CASSANDRA-18124:
---

Any progress? [~maulin.vasavada]  [~frankgh] 

It would be great if this is not forgotten.

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>  Components: Local/Config
>Reporter: Tibor Repasi
>Priority: Normal
> Fix For: 4.1.x, 5.x
>
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Maulin Vasavada (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17693395#comment-17693395
 ] 

Maulin Vasavada commented on CASSANDRA-18124:
-

SO [~frankgh] Did we make any progress on this? Do you want my help on 
anything? 

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>Reporter: Tibor Repasi
>Priority: Normal
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Tibor Repasi (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17649180#comment-17649180
 ] 

Tibor Repasi commented on CASSANDRA-18124:
--

The use and default value of {{truststore_password}} should also be reviewed in 
order to avoid startup warnings like:
{code}
PEMBasedSslContextFactory.java:125 - PEM based truststore should not be using 
password. Ignoring the given value in 'truststore_password' configuration.
{code}


> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>Reporter: Tibor Repasi
>Priority: Normal
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Ekaterina Dimitrova (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17649116#comment-17649116
 ] 

Ekaterina Dimitrova commented on CASSANDRA-18124:
-

[~frankgh] Sure, it would be great if you already have it with the tests, etc. 
Thank you!

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>Reporter: Tibor Repasi
>Priority: Normal
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Francisco Guerrero (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17648855#comment-17648855
 ] 

Francisco Guerrero commented on CASSANDRA-18124:


[~e.dimitrova] I've encountered this issue recently, and might have a patch 
around. I can submit a fix, as you mention we need to mark the param with 
{{@Nullable}}

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>Reporter: Tibor Repasi
>Priority: Normal
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18124) Config parameter keystore_password should be nullable

[Ekaterina Dimitrova (Jira)]

[ 
https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17648680#comment-17648680
 ] 

Ekaterina Dimitrova commented on CASSANDRA-18124:
-

CC [~maulin.vasavada], [~stefan.miklosovic] and [~jonmeredith] 

If we want to allow the null value we need to mark the parameter with @Nullable 
in the codebase as the default value is not null 

 

> Config parameter keystore_password should be nullable
> -
>
> Key: CASSANDRA-18124
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18124
> Project: Cassandra
>  Issue Type: Bug
>Reporter: Tibor Repasi
>Priority: Normal
>
> Some SSL configuration may pass unencrypted private keys. PEMReader might 
> accept that by assuming keyPassword to be null in that case (e.g. 
> https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103).
> Current configuration reader does not accept keystore_password parameter to 
> be set null or empty in the cassandra.yaml.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org