[
https://issues.apache.org/jira/browse/CASSANDRA-9590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14728829#comment-14728829
]
Stefan Podkowinski commented on CASSANDRA-9590:
-----------------------------------------------
Done with the following changes
* {{native_transport_port_ssl}} option including description added to
{{conf/cassandra.yaml}}
* Using {{native_transport_port_ssl}} without enabling encryption in
{{client_encryption_options}} will now throw a config exception
Notes on JCE requirements should be part of the documentation (installation
guide?) and not part of the {{cassandra.yaml}} IMO. Maybe also add a reference
to missing JCE as part of the security exception being thrown as a consequence
of not having JCE installed.
The certificates for the dtest should be created automatically by
{{generate_ssl_stores(self.test_path)}} for each test. I've followed
{{internode_ssl_test.py}} as reference - does this one work for you? Please
find a log file of the output of the test running on my machine attached. Feel
free to ping me on irc if you still can't get the test to work.
[PR for DTest|https://github.com/riptano/cassandra-dtest/pull/530] created.
> Support for both encrypted and unencrypted native transport connections
> -----------------------------------------------------------------------
>
> Key: CASSANDRA-9590
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9590
> Project: Cassandra
> Issue Type: Improvement
> Components: Core
> Reporter: Stefan Podkowinski
> Assignee: Stefan Podkowinski
> Fix For: 2.1.x
>
> Attachments: nosetest_output.txt
>
>
> Enabling encryption for native transport currently turns SSL exclusively on
> or off for the opened socket. Migrating from plain to encrypted requires to
> migrate all native clients as well and redeploy all of them at the same time
> after starting the SSL enabled Cassandra nodes.
> This patch would allow to start Cassandra with both an unencrypted and ssl
> enabled native port. Clients can connect to either, based whether they
> support ssl or not.
> This has been implemented by introducing a new {{native_transport_port_ssl}}
> config option.
> There would be three scenarios:
> * client encryption disabled, {{native_transport_port}} unencrypted,
> {{native_transport_port_ssl}} not used
> * client encryption enabled, {{native_transport_port_ssl}} not set,
> {{native_transport_port}} encrypted
> * client encryption enabled, {{native_transport_port_ssl}} set,
> {{native_transport_port}} unencrypted, {{native_transport_port_ssl}} encrypted
> This approach would keep configuration behavior fully backwards compatible.
> Patch proposal:
> [Branch|https://github.com/spodkowinski/cassandra/tree/cassandra-9590], [Diff
> cassandra-3.0|https://github.com/apache/cassandra/compare/cassandra-3.0...spodkowinski:cassandra-9590],
> [Patch against
> cassandra-3.0|https://github.com/apache/cassandra/compare/cassandra-3.0...spodkowinski:cassandra-9590.patch]
> DTest:
> [Branch|https://github.com/spodkowinski/cassandra-dtest/tree/cassandra-9590],
> [Diff
> master|https://github.com/riptano/cassandra-dtest/compare/master...spodkowinski:cassandra-9590],
> [Pull Request|https://github.com/riptano/cassandra-dtest/pull/530]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
