[
https://issues.apache.org/jira/browse/CASSANDRA-15980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17168991#comment-17168991
]
Jon Meredith commented on CASSANDRA-15980:
------------------------------------------
While testing the fix-of-the-fix, I noticed that Listen message is misleading.
It only output disabled if the encryption options were null, however encryption
could still be disabled by configuration (I noticed when I started the server
up with enabled: false). For the ServerEncryptionOptions it's also possible to
be disabled depending on the internode_encryption but inbound doesn't care
about that).
encryption off.
{code}
INFO [main] 2020-07-31 10:06:20,234 InboundConnectionInitiator.java:129 -
Listening on address: (127.0.0.1:7000), nic: lo0, encryption: disabled
{code}
encryption enabled, NOT optional
{code}
INFO [main] 2020-07-31 10:12:26,417 InboundConnectionInitiator.java:129 -
Listening on address: (127.0.0.1:7001), nic: lo0, encryption: enabled
(factory=openssl)
{code}
encryption enabled, optional, enable legacy (both listens shown here)
{code}
INFO [main] 2020-07-31 10:14:49,407 InboundConnectionInitiator.java:129 -
Listening on address: (127.0.0.1:7001), nic: lo0, encryption: enabled
(factory=openssl)
INFO [main] 2020-07-31 10:14:49,495 InboundConnectionInitiator.java:129 -
Listening on address: (127.0.0.1:7000), nic: lo0, encryption: optional
(factory=openssl)
{code}
encryption enabled. optional, disable legacy
{code}
INFO [main] 2020-07-31 10:17:37,736 InboundConnectionInitiator.java:129 -
Listening on address: (127.0.0.1:7000), nic: lo0, encryption: optional
(factory=openssl)
{code}
with an optionally encrypted inbound connection logged as
{code}
INFO [Messaging-EventLoop-3-9] 2020-07-31 10:17:44,067
InboundConnectionInitiator.java:457 -
127.0.0.3:7000(127.0.0.1:60610)->127.0.0.1:7000-SMALL_MESSAGES-75d10ff2
messaging connection established, version = 12, framing = CRC, encryption =
optional (factory=openssl;protocol=TLSv1.2;cipher=TLS_RSA_WITH_AES_256_CBC_SHA)
{code}
and an plaintext inbound connection logged as
{code}
INFO [Messaging-EventLoop-3-1] 2020-07-31 10:26:00,047
InboundConnectionInitiator.java:457 -
127.0.0.3:7000(127.0.0.1:60754)->127.0.0.1:7000-URGENT_MESSAGES-f3c595f8
messaging connection established, version = 12, framing = CRC, encryption =
disabled
{code}
> Improve log messages for socket connection/disconnection
> --------------------------------------------------------
>
> Key: CASSANDRA-15980
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15980
> Project: Cassandra
> Issue Type: Bug
> Components: Observability/Logging
> Reporter: Jon Meredith
> Assignee: Jon Meredith
> Priority: Normal
> Fix For: 4.0-beta
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Logging for inbound SSL connections can take place before protocol
> negotiation has taken place and logs a misleading cipher that could cause
> problems for security auditing.
>
>
> {code:java}
> INFO 2020-07-03T13:57:58,380 [Messaging-EventLoop-3-1]
> org.apache.cassandra.net.InboundConnectionInitiator:242 - connection from
> peer /1.1.1.1:57899 to /2.2.2.2:7000, protocol = TLSv1.2, cipher suite =
> SSL_NULL_WITH_NULL_NULL
> {code}
>
> Instead Cassandra should log the connection & protocol, then once the cipher
> has been negotiated log the agreed upon cipher.
>
>
> If the inbound SSL connection does not present a client certificate,
> Cassandra logs this error, even if the client wasn't required to.
> {code:java}
> ERROR 2020-07-14T11:58:45,925 [Native-Transport-Requests-1]
> org.apache.cassandra.transport.ServerConnection:140 - Failed to get peer
> certificates for peer /4.3.2.1:59263
> {code}
>
> Logging the absense of verified certificates should be a concern of the
> SaslNegotiator if it requires it, and not something worth alerting the
> operator for generally. Downgrade to debug message to make investigation
> possible if needed.
>
>
> Finally, to help with logging issues related to disconnection, add a log
> statement when an instance decides it no longer needs to keep a gossip
> connection open when cleaning up connections in
> org.apache.cassandra.net.OutboundConnections.UnusedConnectionMonitor#closeUnusedSinceLastRun
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
