Jane Deng commented on CASSANDRA-12773:

Thanks Stefan. The problem is people could not use default password "cassandra" 
in production. We received the report of the error.

Actually I think there could be some improvement from SSLFactory.java:
public static SSLContext createSSLContext(EncryptionOptions options, boolean 
buildTruststore) throws IOException

The truststore holds the public key and will be passed by the client anyway. 
However, the keystore holds the private key which may or may not be passed by 
the client (depending on require_client_auth = true/false). In current 
implementation, we load the keystore for every client request, but decide to 
load the truststore or not based on the parameter "buildTruststore". It may be 
better to change the context of "buildTruststore" to "buildKeystore". But this 
change will affect all of the current clients and it could be another jira. 


> cassandra-stress error for one way SSL 
> ---------------------------------------
>                 Key: CASSANDRA-12773
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12773
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Tools
>            Reporter: Jane Deng
>         Attachments: 12773-2.2.patch
> CASSANDRA-9325 added keystore/truststore configuration into cassandra-stress. 
> However, for one way ssl (require_client_auth=false), there is no need to 
> pass keystore info into ssloptions. Cassadra-stress errored out:
> {noformat}
> java.lang.RuntimeException: java.io.IOException: Error creating the 
> initializing the SSL Context 
> at 
> org.apache.cassandra.stress.settings.StressSettings.getJavaDriverClient(StressSettings.java:200)
> at 
> org.apache.cassandra.stress.settings.SettingsSchema.createKeySpacesNative(SettingsSchema.java:79)
> at 
> org.apache.cassandra.stress.settings.SettingsSchema.createKeySpaces(SettingsSchema.java:69)
> at 
> org.apache.cassandra.stress.settings.StressSettings.maybeCreateKeyspaces(StressSettings.java:207)
> at org.apache.cassandra.stress.StressAction.run(StressAction.java:55) 
> at org.apache.cassandra.stress.Stress.main(Stress.java:117) 
> Caused by: java.io.IOException: Error creating the initializing the SSL 
> Context 
> at 
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:151)
> at 
> org.apache.cassandra.stress.util.JavaDriverClient.connect(JavaDriverClient.java:128)
> at 
> org.apache.cassandra.stress.settings.StressSettings.getJavaDriverClient(StressSettings.java:191)
> ... 5 more 
> Caused by: java.io.IOException: Keystore was tampered with, or password was 
> incorrect 
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) 
> at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) 
> at java.security.KeyStore.load(KeyStore.java:1445) 
> at 
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:129)
> ... 7 more 
> Caused by: java.security.UnrecoverableKeyException: Password verification 
> failed 
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) 
> ... 10 more
> {noformat}
> It's a bug from CASSANDRA-9325. When the keystore is absent, the keystore is 
> assigned to the path of the truststore, but the password isn't taken care.

This message was sent by Atlassian JIRA

Reply via email to