[
https://issues.apache.org/jira/browse/CASSANDRA-11164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15144958#comment-15144958
]
Tom Petracca commented on CASSANDRA-11164:
------------------------------------------
You need the filtering to ensure that you don't attempt to use an unsupported
cipher suite. We attempt to use (by default) TLS_RSA_WITH_AES_256_CBC_SHA,
which fails on systems that don't have the JCE Unlimited Strength Jurisdiction
Policy. However I don't want to remove the unsupported suites from the default
because most people who have JCE will actually want to use the stronger ones
(and I generally like the idea of it having that functionality by default).
> Order and filter cipher suites correctly
> ----------------------------------------
>
> Key: CASSANDRA-11164
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11164
> Project: Cassandra
> Issue Type: Bug
> Reporter: Tom Petracca
> Priority: Minor
> Fix For: 2.2.x
>
> Attachments: 11164-2.2.txt
>
>
> As pointed out in https://issues.apache.org/jira/browse/CASSANDRA-10508,
> SSLFactory.filterCipherSuites() doesn't respect the ordering of desired
> ciphers in cassandra.yaml.
> Also the fix that occurred for
> https://issues.apache.org/jira/browse/CASSANDRA-3278 is incomplete and needs
> to be applied to all locations where we create an SSLSocket so that JCE is
> not required out of the box or with additional configuration.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
