[
https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17100511#comment-17100511
]
Joey Lynch edited comment on CASSANDRA-15262 at 5/6/20, 6:39 AM:
-----------------------------------------------------------------
Got a chance to look at this today, the first test failure was just because the
default for client optional switched to true. The second failure was because I
was still referencing the enabled logic in the server so we were not entering
transitional mode.
||Cassandra Branch||Dtest Branch||
|[jolynch:CASSANDRA-15262|https://github.com/apache/cassandra/compare/trunk...jolynch:CASSANDRA-15262]|[jolynch:CASSANDRA_15262|https://github.com/apache/cassandra-dtest/commit/98c0be8789f1a016a1038bf3337c0fbbc8580bd6]|
Running dtests now.
I agree let's get this change just far enough so we can commit it to allow beta
testers to not break with the upgrade and we can revisit the naming of optional
and internode_encryption_options in 15146 in 4.0-beta.
I think because we added optional in 4.0 we can rename it to like mode: <off,
on, transitional> or something in the beta... We can figure out the naming in
15146.
was (Author: jolynch):
Got a chance to look at this today, the first test failure was just because the
default for client optional switched to true. The second failure was because I
was still referencing the enabled logic in the server so we were not entering
transitional mode.
||Cassandra Branch||Dtest Branch||
|[jolynch:CASSANDRA-15262|https://github.com/apache/cassandra/compare/trunk...jolynch:CASSANDRA-15262]|[jolynch:CASSANDRA_15262|https://github.com/apache/cassandra-dtest/commit/98c0be8789f1a016a1038bf3337c0fbbc8580bd6]|
Running dtests now.
I agree let's get this change just good enough so we can commit it and we can
revisit the naming of optional and internode_encryption_options in 15146 in
4.0-beta.
I think because we added optional in 4.0 we can rename it to like mode: <off,
on, transitional> or something... We can figure out the naming in 15146.
> server_encryption_options is not backwards compatible with 3.11
> ---------------------------------------------------------------
>
> Key: CASSANDRA-15262
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15262
> Project: Cassandra
> Issue Type: Bug
> Components: Local/Config
> Reporter: Joey Lynch
> Assignee: Joey Lynch
> Priority: Normal
> Fix For: 4.0, 4.0-alpha
>
>
> The current `server_encryption_options` configuration options are as follows:
> {noformat}
> server_encryption_options:
> # set to true for allowing secure incoming connections
> enabled: false
> # If enabled and optional are both set to true, encrypted and unencrypted
> connections are handled on the storage_port
> optional: false
> # if enabled, will open up an encrypted listening socket on
> ssl_storage_port. Should be used
> # during upgrade to 4.0; otherwise, set to false.
> enable_legacy_ssl_storage_port: false
> # on outbound connections, determine which type of peers to securely
> connect to. 'enabled' must be set to true.
> internode_encryption: none
> keystore: conf/.keystore
> keystore_password: cassandra
> truststore: conf/.truststore
> truststore_password: cassandra
> # More advanced defaults below:
> # protocol: TLS
> # store_type: JKS
> # cipher_suites:
> [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
> # require_client_auth: false
> # require_endpoint_verification: false
> {noformat}
> A couple of issues here:
> 1. optional defaults to false, which will break existing TLS configurations
> for (from what I can tell) no particularly good reason
> 2. The provided protocol and cipher suites are not good ideas (in particular
> encouraging anyone to use CBC ciphers is a bad plan
> I propose that before the 4.0 cut we fixup server_encryption_options and even
> client_encryption_options :
> # Change the default {{optional}} setting to true. As the new Netty code
> intelligently decides to open a TLS connection or not this is the more
> sensible default (saves operators a step while transitioning to TLS as well)
> # Update the defaults to what netty actually defaults to
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
