Here's is what I was told by IBM JVM Support: ...the string "SSLv2Hello" is not supported in IBM JVM but > more importantly, the protocol SSLv2 is no longer a valid protocol in > our JVM. > We don't even have SSLv3 enabled by default due to the HIGH severity > vulnerabilities this protocol has. > > Is there anything I can do to use IBM JVM and Cassandra with encryption?
Thanks. Lou. On Tue, Apr 24, 2018 at 12:41 PM, Michael Shuler <mich...@pbandjelly.org> wrote: > Correct! > > Thanks for the trace, Lou. > > SSLFactory.java:67 specifies a list of protocols, including SSLv2Hello. > > "It [IBM JSSE] does not support specifying SSLv2Hello." > https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0. > 0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/ > knowndiffsun.html > > Apache Cassandra is tested on Oracle JDK and OpenJDK. Use a supported > version of either of those, and this problem should go away. > Alternatively, do a custom build of Cassandra, if you must run a > little-used JDK? > > Also, just for a little additional info, SSLv2Hello != SSLv2, so I do > not believe that there is a worry about some weak protocol here. > https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4915862 > > -- > Kind regards, > Michael > > On 04/24/2018 11:23 AM, Marcus Haarmann wrote: > > OK, this is IBM JDK. The options might differ. I have been searching for > > Oracle Java options. > > You will need to consult the IBM documentation in this case. > > > > Marcus Haarmann > > > > ------------------------------------------------------------------------ > > *Von: *"Lou DeGenaro" <lou.degen...@gmail.com> > > *An: *"user" <user@cassandra.apache.org> > > *Gesendet: *Dienstag, 24. April 2018 16:08:06 > > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2? > > > > Thanks for your suggestions. I tried using the -D shown below: > > > > degenaro@bluej421:/users/degenaro/cassandra/bluej421> > ./bin/cassandra > > degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl > > --interleave=all /share/ibm-jdk1.8/bin/java > > -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello > > -Xloggc:./bin/../logs/gc.log -XX:+UseParNewGC > > -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled > > -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 > > -XX:CMSInitiatingOccupancyFraction=75 > > -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000... > > ... > > WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA, > > TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by the > socket > > Exception (java.lang.IllegalArgumentException) encountered during > > startup: SSLv2Hello is not a recognized protocol. > > java.lang.IllegalArgumentException: SSLv2Hello is not a recognized > > protocol. > > at com.ibm.jsse2.S.a(S.java:112) > > at com.ibm.jsse2.S.b(S.java:136) > > at com.ibm.jsse2.S.<init>(S.java:177) > > at com.ibm.jsse2.as.setEnabledProtocols(as.java:2) > > at > > org.apache.cassandra.security.SSLFactory.getServerSocket( > SSLFactory.java:67) > > at > > org.apache.cassandra.net.MessagingService.getServerSockets( > MessagingService.java:514) > > at > > org.apache.cassandra.net.MessagingService.listen( > MessagingService.java:498) > > at > > org.apache.cassandra.net.MessagingService.listen( > MessagingService.java:482) > > at > > org.apache.cassandra.service.StorageService.prepareToJoin( > StorageService.java:765) > > at > > org.apache.cassandra.service.StorageService.initServer( > StorageService.java:654) > > at > > org.apache.cassandra.service.StorageService.initServer( > StorageService.java:534) > > at > > org.apache.cassandra.service.CassandraDaemon.setup( > CassandraDaemon.java:344) > > at > > org.apache.cassandra.service.CassandraDaemon.activate( > CassandraDaemon.java:568) > > at > > org.apache.cassandra.service.CassandraDaemon.main( > CassandraDaemon.java:696) > > ERROR 14:01:09 Exception encountered during startup > > java.lang.IllegalArgumentException: SSLv2Hello is not a recognized > > protocol. > > > > > > Who is at fault: user, Cassandra, JVM, OS? > > > > Thanks. > > > > Lou. > > > > > > > > > > > > > > On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann > > <marcus.haarm...@midoco.de <mailto:marcus.haarm...@midoco.de>> wrote: > > > > Hi, > > > > I did take a look into the source code of 3.11, but I believe the > > code is more or less the same. > > The SSL code makes use of Java SSL Sockets so you can limit the > > protocols in the "Java way". > > The java way (at least for a recent Java 8) is to setup the > > protocols in the <jre>/lib/security/java.security file. > > Or to define a system property on the command line > > (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello). > > > > There are multiple options for SSL configuration in the config > > (https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/ > secureSSLNodeToNode.html) > > The most interesting one in your situation would be the > > cipher_suites option, which allows you > > to limit the avaliable cipher suites e.g. > > to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > > (which is a TLS1.2-only cipher suite). > > > > You can check the offered protocols for your server with an open > > source tool like sslyze (https://github.com/nabla-c0d3/sslyze) > > > > Marcus Haarmann > > > > ------------------------------------------------------------ > ------------ > > *Von: *"Lou DeGenaro" <lou.degen...@gmail.com > > <mailto:lou.degen...@gmail.com>> > > *An: *"user" <user@cassandra.apache.org > > <mailto:user@cassandra.apache.org>> > > *Gesendet: *Dienstag, 24. April 2018 11:21:06 > > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2? > > > > Can someone please can tell me how to prevent Cassandra 3.0.9 from > > using SSLv2? Happy to use a newer version of Cassandra if that's > > what's required. > > > > On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro > > <lou.degen...@gmail.com <mailto:lou.degen...@gmail.com>> wrote: > > > > 3.0.9 > > > > On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler > > <mich...@pbandjelly.org <mailto:mich...@pbandjelly.org>> wrote: > > > > On 04/20/2018 08:46 AM, Lou DeGenaro wrote: > > > Could you be more specific? What does one specify exactly > to assure > > > SSLv2 is not used for both client-server and server-server > > > communications? Example yaml statements would be > wonderful. > > > > The defaults in cassandra.yaml have only TLS specified in > > the current > > branch HEADs. I'm pretty sure SSLv2/3 removal was a > > post-POODLE commit. > > It's possible you may be on something older - what version > > are we > > talking about? > > > > -- > > Michael > > > > ------------------------------------------------------------ > --------- > > To unsubscribe, e-mail: > > user-unsubscr...@cassandra.apache.org > > <mailto:user-unsubscr...@cassandra.apache.org> > > For additional commands, e-mail: > > user-h...@cassandra.apache.org > > <mailto:user-h...@cassandra.apache.org> > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > For additional commands, e-mail: user-h...@cassandra.apache.org > >
