[
https://issues.apache.org/jira/browse/CASSANDRA-8751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14994460#comment-14994460
]
Robert Stupp commented on CASSANDRA-8751:
-----------------------------------------
It is possible to accept both SSL and non-SSL traffic using the same server
socket as done in CASSANDRA-10559. Could be easily done with CASSANDRA-8457 in
the same way as CASSANDRA-10559 but maybe with some additional checks that _for
example_ enforce encrypted and maybe certificate authenticated for intra-DC
traffic.
> C* should always listen to both ssl/non-ssl ports
> -------------------------------------------------
>
> Key: CASSANDRA-8751
> URL: https://issues.apache.org/jira/browse/CASSANDRA-8751
> Project: Cassandra
> Issue Type: Improvement
> Reporter: Minh Do
> Assignee: Minh Do
> Priority: Critical
> Fix For: 3.x
>
>
> Since there is always one thread dedicated on server socket listener and it
> does not use much resource, we should always have these two listeners up no
> matter what users set for internode_encryption.
> The reason behind this is that we need to switch back and forth between
> different internode_encryption modes and we need C* servers to keep running
> in transient state or during mode switching. Currently this is not possible.
> For example, we have a internode_encryption=dc cluster in a multi-region AWS
> environment and want to set internode_encryption=all by rolling restart C*
> nodes. However, the node with internode_encryption=all does not open to
> listen to non-ssl port. As a result, we have a splitted brain cluster here.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
