[jira] [Commented] (CASSANDRA-9590) Support for both encrypted and unencrypted native transport connections

Mon, 15 Jun 2015 06:23:46 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-9590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14585911#comment-14585911
 ] 

Stefan Podkowinski commented on CASSANDRA-9590:
-----------------------------------------------

[~mikea], you're right, [STARTTLS|https://en.wikipedia.org/wiki/STARTTLS] would 
be another option how this could be implemented. Netty's 
[SSLHandler|https://netty.io/4.0/api/io/netty/handler/ssl/SslHandler.html] also 
supports it, so it should be possible to enable starttls for the server and 
java driver fairly easily. But we'd have to implement this for the other 
drivers as well. Not sure if we should go down that road, instead of just 
having two dedicated sockets. 

> Support for both encrypted and unencrypted native transport connections
> -----------------------------------------------------------------------
>
>                 Key: CASSANDRA-9590
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9590
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Stefan Podkowinski
>
> Enabling encryption for native transport currently turns SSL exclusively on 
> or off for the opened socket. Migrating from plain to encrypted requires to 
> migrate all native clients as well and redeploy all of them at the same time 
> after starting the SSL enabled Cassandra nodes. 
> This patch would allow to start Cassandra with both an unencrypted and ssl 
> enabled native port. Clients can connect to either, based whether they 
> support ssl or not.
> This has been implemented by introducing a new {{native_transport_port_ssl}} 
> config option. 
> There would be three scenarios:
> * client encryption disabled: native_transport_port unencrypted, port_ssl not 
> used
> * client encryption enabled, port_ssl not set: encrypted native_transport_port
> * client encryption enabled and port_ssl set: native_transport_port 
> unencrypted, port_ssl encrypted
> This approach would keep configuration behavior fully backwards compatible.
> Patch proposal (tests will be added later in case people will speak out in 
> favor for the patch):
> [Diff 
> trunk|https://github.com/apache/cassandra/compare/trunk...spodkowinski:feat/optionalnativessl],
>  
> [Patch against 
> trunk|https://github.com/apache/cassandra/compare/trunk...spodkowinski:feat/optionalnativessl.patch]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to