[
https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17092418#comment-17092418
]
Ekaterina Dimitrova commented on CASSANDRA-15262:
-------------------------------------------------
Just rebased and tried to start the server but the following error appears when
I try to Start Cassandra:
INFO [main] 2020-04-25 19:35:50,175 YamlConfigurationLoader.java:89 -
Configuration location:
file:/Users/ekaterina.dimitri/CASSANDRA-15262/cassandra/conf/cassandra.yaml
Exception (org.apache.cassandra.exceptions.ConfigurationException) encountered
during startup: Invalid yaml:
file:/Users/ekaterina.dimitri/CASSANDRA-15262/cassandra/conf/cassandra.yaml
Error: null; Can't construct a java object for
tag:yaml.org,2002:org.apache.cassandra.config.Config; exception=Cannot create
property=client_encryption_options for
JavaBean=org.apache.cassandra.config.Config@18078bef; Cannot create
property=enabled for
JavaBean=org.apache.cassandra.config.EncryptionOptions@ee7e1c03; Unable to find
property 'enabled' on class: org.apache.cassandra.config.EncryptionOptions; in
'reader', line 10, column 1:
cluster_name: 'Test Cluster'
^
Invalid yaml:
file:/Users/ekaterina.dimitri/CASSANDRA-15262/cassandra/conf/cassandra.yaml
Error: null; Can't construct a java object for
tag:yaml.org,2002:org.apache.cassandra.config.Config; exception=Cannot create
property=client_encryption_options for
JavaBean=org.apache.cassandra.config.Config@18078bef; Cannot create
property=enabled for
JavaBean=org.apache.cassandra.config.EncryptionOptions@ee7e1c03; Unable to find
property 'enabled' on class: org.apache.cassandra.config.EncryptionOptions; in
'reader', line 10, column 1:
cluster_name: 'Test Cluster'
^
ERROR [main] 2020-04-25 19:35:50,268 CassandraDaemon.java:789 - Exception
encountered during startup: Invalid yaml:
file:/Users/ekaterina.dimitri/CASSANDRA-15262/cassandra/conf/cassandra.yaml
Error: null; Can't construct a java object for
tag:yaml.org,2002:org.apache.cassandra.config.Config; exception=Cannot create
property=client_encryption_options for
JavaBean=org.apache.cassandra.config.Config@18078bef; Cannot create
property=enabled for
JavaBean=org.apache.cassandra.config.EncryptionOptions@ee7e1c03; Unable to find
property 'enabled' on class: org.apache.cassandra.config.EncryptionOptions; in
'reader', line 10, column 1:
cluster_name: 'Test Cluster'
That is because we still have it in config but we completely remove it from the
yaml. I just saw an old comment where you mention this issue and realized it
wasn't fixed.
Will look into this how to fix it later or tomorrow.
Checked whether we already have the tests as you mentioned on Slack, but looks
like there are some tests but not exactly what we need.
> server_encryption_options is not backwards compatible with 3.11
> ---------------------------------------------------------------
>
> Key: CASSANDRA-15262
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15262
> Project: Cassandra
> Issue Type: Bug
> Components: Local/Config
> Reporter: Joey Lynch
> Assignee: Joey Lynch
> Priority: Normal
> Fix For: 4.0, 4.0-alpha
>
>
> The current `server_encryption_options` configuration options are as follows:
> {noformat}
> server_encryption_options:
> # set to true for allowing secure incoming connections
> enabled: false
> # If enabled and optional are both set to true, encrypted and unencrypted
> connections are handled on the storage_port
> optional: false
> # if enabled, will open up an encrypted listening socket on
> ssl_storage_port. Should be used
> # during upgrade to 4.0; otherwise, set to false.
> enable_legacy_ssl_storage_port: false
> # on outbound connections, determine which type of peers to securely
> connect to. 'enabled' must be set to true.
> internode_encryption: none
> keystore: conf/.keystore
> keystore_password: cassandra
> truststore: conf/.truststore
> truststore_password: cassandra
> # More advanced defaults below:
> # protocol: TLS
> # store_type: JKS
> # cipher_suites:
> [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
> # require_client_auth: false
> # require_endpoint_verification: false
> {noformat}
> A couple of issues here:
> 1. optional defaults to false, which will break existing TLS configurations
> for (from what I can tell) no particularly good reason
> 2. The provided protocol and cipher suites are not good ideas (in particular
> encouraging anyone to use CBC ciphers is a bad plan
> I propose that before the 4.0 cut we fixup server_encryption_options and even
> client_encryption_options :
> # Change the default {{optional}} setting to true. As the new Netty code
> intelligently decides to open a TLS connection or not this is the more
> sensible default (saves operators a step while transitioning to TLS as well)
> # Update the defaults to what netty actually defaults to
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
