Nachiket Patil created CASSANDRA-13325:
------------------------------------------
Summary: Bring back the accepted encryption protocols list as
configurable option
Key: CASSANDRA-13325
URL: https://issues.apache.org/jira/browse/CASSANDRA-13325
Project: Cassandra
Issue Type: Improvement
Components: Configuration
Reporter: Nachiket Patil
Priority: Minor
With CASSANDRA-10508, the hard coded list of accepted encryption protocols was
eliminated. For some use cases, it is necessary to restrict the encryption
protocols used for communication between client and server. Default JVM way of
negotiations allows the best encryption protocol that client can use.
e.g. I have set Cassandra to use encryption. Ideally client and server
negotiate to use best protocol (TLSv1.2). But a malicious client might force
TLSv1.0 which is susceptible to POODLE attacks.
At the moment only way to restrict the encryption protocol is using the
{{jdk.tls.client.protocols}} systems property. If I dont have enough access to
modify this property, I dont have any way of restricting the encryption
protocols.
I am proposing bring back the accepted_protocols property but make it
configurable. If not specified, let the JVM take care of the TLS negotiations.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
