[jira] [Created] (CASSANDRA-11405) Server encryption cannot be enabled with the IBM JRE 1.7

Tue, 22 Mar 2016 14:25:09 -0700 

Guillermo Vega-Toro created CASSANDRA-11405:
-----------------------------------------------

             Summary: Server encryption cannot be enabled with the IBM JRE 1.7
                 Key: CASSANDRA-11405
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-11405
             Project: Cassandra
          Issue Type: Bug
          Components: Configuration
         Environment: Linux, IBM JRE 1.7
            Reporter: Guillermo Vega-Toro
             Fix For: 2.2.6


When enabling server encryption with the IBM JRE (algorithm: IbmX509), an 
IllegalArgumentException is thrown from the IBM JSSE when the server is started:

ERROR 10:04:37,326 Exception encountered during startup
java.lang.IllegalArgumentException: SSLv2Hello
        at com.ibm.jsse2.qb.a(qb.java:50)
        at com.ibm.jsse2.pb.a(pb.java:101)
        at com.ibm.jsse2.pb.<init>(pb.java:77)
        at com.ibm.jsse2.oc.setEnabledProtocols(oc.java:77)
        at 
org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:64)
        at 
org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:425)
        at 
org.apache.cassandra.net.MessagingService.listen(MessagingService.java:409)
        at 
org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:693)
        at 
org.apache.cassandra.service.StorageService.initServer(StorageService.java:623)
        at 
org.apache.cassandra.service.StorageService.initServer(StorageService.java:515)
        at 
org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:437)
        at 
org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:567)
        at 
org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:656)

The problem is that the IBM JSSE does not support SSLv2Hello, but this protocol 
is hard-coded in class org.apache.cassandra.security.SSLFactory:

public static final String[] ACCEPTED_PROTOCOLS = new String[] {"SSLv2Hello", 
"TLSv1", "TLSv1.1", "TLSv1.2"};

    public static SSLServerSocket getServerSocket(EncryptionOptions options, 
InetAddress address, int port) throws IOException
    {
        SSLContext ctx = createSSLContext(options, true);
        SSLServerSocket serverSocket = 
(SSLServerSocket)ctx.getServerSocketFactory().createServerSocket();
        serverSocket.setReuseAddress(true);
        String[] suits = 
filterCipherSuites(serverSocket.getSupportedCipherSuites(), 
options.cipher_suites);
        serverSocket.setEnabledCipherSuites(suits);
        serverSocket.setNeedClientAuth(options.require_client_auth);
        serverSocket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
        serverSocket.bind(new InetSocketAddress(address, port), 500);
        return serverSocket;
    }

This ACCEPTED_PROTOCOLS array should not be hard-coded. It should rather read 
the protocols from configuration, or if the algorithm is IbmX509, simply do not 
call setEnabledProtocols - with the IBM JSSE, the enabled protocol is 
controlled by the protocol passed to SSLContext.getInstance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to