Repository: cassandra Updated Branches: refs/heads/cassandra-2.0 be7914229 -> b93f48a5d
Disable SSLv3 for POODLE patch by Jeremiah Jordan; reviewed by jasobrown for CASSANDRA-8265 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/b93f48a5 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/b93f48a5 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/b93f48a5 Branch: refs/heads/cassandra-2.0 Commit: b93f48a5db321bf7c9fb55a800ed6ab2d6f6b102 Parents: be79142 Author: Jason Brown <jasedbr...@gmail.com> Authored: Wed Nov 12 15:58:13 2014 -0800 Committer: Jason Brown <jasedbr...@gmail.com> Committed: Wed Nov 12 15:58:13 2014 -0800 ---------------------------------------------------------------------- CHANGES.txt | 1 + src/java/org/apache/cassandra/security/SSLFactory.java | 4 ++++ .../org/apache/cassandra/thrift/CustomTThreadPoolServer.java | 4 ++++ src/java/org/apache/cassandra/transport/Server.java | 1 + src/java/org/apache/cassandra/transport/SimpleClient.java | 1 + 5 files changed, 11 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/b93f48a5/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 47e611c..809a102 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 2.0.12: + * Disable SSLv3 for POODLE (CASSANDRA-8265) * Fix millisecond timestamps in Tracing (CASSANDRA-8297) * Include keyspace name in error message when there are insufficient live nodes to stream from (CASSANDRA-8221) http://git-wip-us.apache.org/repos/asf/cassandra/blob/b93f48a5/src/java/org/apache/cassandra/security/SSLFactory.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java index 3cb0670..260c828 100644 --- a/src/java/org/apache/cassandra/security/SSLFactory.java +++ b/src/java/org/apache/cassandra/security/SSLFactory.java @@ -61,6 +61,7 @@ public final class SSLFactory String[] suits = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites); serverSocket.setEnabledCipherSuites(suits); serverSocket.setNeedClientAuth(options.require_client_auth); + serverSocket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"}); serverSocket.bind(new InetSocketAddress(address, port), 500); return serverSocket; } @@ -72,6 +73,7 @@ public final class SSLFactory SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port, localAddress, localPort); String[] suits = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites); socket.setEnabledCipherSuites(suits); + socket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"}); return socket; } @@ -82,6 +84,7 @@ public final class SSLFactory SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port); String[] suits = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites); socket.setEnabledCipherSuites(suits); + socket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"}); return socket; } @@ -92,6 +95,7 @@ public final class SSLFactory SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(); String[] suits = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites); socket.setEnabledCipherSuites(suits); + socket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"}); return socket; } http://git-wip-us.apache.org/repos/asf/cassandra/blob/b93f48a5/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java index d1a3304..3111deb 100644 --- a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java +++ b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java @@ -27,6 +27,8 @@ import java.util.concurrent.ThreadPoolExecutor; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicInteger; +import javax.net.ssl.SSLServerSocket; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -251,6 +253,8 @@ public class CustomTThreadPoolServer extends TServer params.requireClientAuth(true); } TServerSocket sslServer = TSSLTransportFactory.getServerSocket(addr.getPort(), 0, addr.getAddress(), params); + SSLServerSocket sslServerSocket = (SSLServerSocket) sslServer.getServerSocket(); + sslServerSocket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"}); serverTransport = new TCustomServerSocket(sslServer.getServerSocket(), args.keepAlive, args.sendBufferSize, args.recvBufferSize); } else http://git-wip-us.apache.org/repos/asf/cassandra/blob/b93f48a5/src/java/org/apache/cassandra/transport/Server.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/transport/Server.java b/src/java/org/apache/cassandra/transport/Server.java index f095776..092e1ba 100644 --- a/src/java/org/apache/cassandra/transport/Server.java +++ b/src/java/org/apache/cassandra/transport/Server.java @@ -296,6 +296,7 @@ public class Server implements CassandraDaemon.Server sslEngine.setUseClientMode(false); sslEngine.setEnabledCipherSuites(encryptionOptions.cipher_suites); sslEngine.setNeedClientAuth(encryptionOptions.require_client_auth); + sslEngine.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"}); SslHandler sslHandler = new SslHandler(sslEngine); sslHandler.setIssueHandshake(true); http://git-wip-us.apache.org/repos/asf/cassandra/blob/b93f48a5/src/java/org/apache/cassandra/transport/SimpleClient.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/transport/SimpleClient.java b/src/java/org/apache/cassandra/transport/SimpleClient.java index 5f2efda..3bcf751 100644 --- a/src/java/org/apache/cassandra/transport/SimpleClient.java +++ b/src/java/org/apache/cassandra/transport/SimpleClient.java @@ -259,6 +259,7 @@ public class SimpleClient SSLEngine sslEngine = sslContext.createSSLEngine(); sslEngine.setUseClientMode(true); sslEngine.setEnabledCipherSuites(encryptionOptions.cipher_suites); + sslEngine.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"}); ChannelPipeline pipeline = super.getPipeline(); pipeline.addFirst("ssl", new SslHandler(sslEngine));