[jira] [Commented] (CASSANDRA-13325) Bring back the accepted encryption protocols list as configurable option

Wed, 02 Dec 2020 15:48:05 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-13325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17242813#comment-17242813
 ] 

David Capwell commented on CASSANDRA-13325:
-------------------------------------------

Starting commit

CI Results (pending):
||Branch||Source||Circle CI||Jenkins||
|trunk|[branch|https://github.com/dcapwell/cassandra/tree/commit_remote_branch/CASSANDRA-13325-trunk-4DE5A387-1A32-4B6E-A4D0-5A7CAA3F3339]|[build|https://app.circleci.com/pipelines/github/dcapwell/cassandra?branch=commit_remote_branch%2FCASSANDRA-13325-trunk-4DE5A387-1A32-4B6E-A4D0-5A7CAA3F3339]|[build|https://ci-cassandra.apache.org/job/Cassandra-devbranch/242/]|


> Bring back the accepted encryption protocols list as configurable option
> ------------------------------------------------------------------------
>
>                 Key: CASSANDRA-13325
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13325
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Local/Config
>            Reporter: Nachiket Patil
>            Assignee: Jon Meredith
>            Priority: Low
>             Fix For: 4.0-beta
>
>         Attachments: trunk.diff
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> With CASSANDRA-10508, the hard coded list of accepted encryption protocols 
> was eliminated. For some use cases, it is necessary to restrict the 
> encryption protocols used for communication between client and server. 
> Default JVM way of negotiations allows the best encryption protocol that 
> client can use. 
> e.g. I have set Cassandra to use encryption. Ideally client and server 
> negotiate to use best protocol (TLSv1.2). But a malicious client might force 
> TLSv1.0 which is susceptible to POODLE attacks.
> At the moment only way to restrict the encryption protocol is using the 
> {{jdk.tls.client.protocols}} systems property. If I dont have enough access 
> to modify this property, I dont have any way of restricting the encryption 
> protocols.
> I am proposing bring back the accepted_protocols property but make it 
> configurable. If not specified, let the JVM take care of the TLS negotiations.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to