[
https://issues.apache.org/jira/browse/CASSANDRA-16362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270501#comment-17270501
]
Jon Meredith commented on CASSANDRA-16362:
------------------------------------------
In the end, it was a simple mistake, replacing the "TLS" with the
{{getSupportedSSLParameters}} rather than the {{getDefaultSSLParameters}} as I
had intended.
I also noticed that Netty always includes the SSLv2Hello pseudo-protocol as
Netty claims it is not possible to disable it
([https://github.com/netty/netty/commit/7a39afd031accea9ee38653afbd58eb1c466deda#diff-d9520f8137242d465d6e625873bfad7b7e27fb10168c144236757d2ec1141b1dR205]).
After a bit of reading, it seems like it is was historically used by Java
clients to help negotiate the real protocol.
To avoid unnecessarily scaring people (and auditors) that SSLv2 is enabled when
it is not I've added a filter for SSLv2Hello in the info level message, and log
the full list at debug level.
I've pushed two new commits we can squash on merge that fix the
Supported->Default bug, and filter out SSLv2Hello.
[https://github.com/jonmeredith/cassandra/tree/C16362-switch-to-default-options]
CircleCI
https://app.circleci.com/pipelines/github/jonmeredith/cassandra?branch=C16362-switch-to-default-options
To prove to myself that the protocols served match the configuration, I've run
a combination of protocol settings and JVM versions and checked the testssl.sh
and log output.
For each cluster name (made up of java version and protocol option configured)
this lists the client encryption options, the log lines emitted and the
protocol test section of the testssl.sh output.
{code:java}
=== Cluster /home/jmeredith/.ccm/c16362_11_0_9_11_2_ ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 15:08:45,259 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 15:08:45,259 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
INFO [main] 2021-01-22 15:08:45,259 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_11_0_9_11_2_TLS ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
protocol: TLS
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 15:13:06,715 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 15:13:06,715 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
INFO [main] 2021-01-22 15:13:06,715 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_11_0_9_11_2_TLSv1_2 ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
protocol: TLSv1.2
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 15:17:32,582 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 15:17:32,587 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1.2
INFO [main] 2021-01-22 15:17:32,587 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1.2
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 not offered and downgraded to a weaker protocol
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_11_0_9_11_2_TLSv1_3 ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
protocol: TLSv1.3
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 15:21:42,102 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 15:21:42,102 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1.3
INFO [main] 2021-01-22 15:21:42,102 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1.3
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 not offered
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_1_8_0_161_2_b14_ ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 14:31:57,882 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 14:31:57,882 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
INFO [main] 2021-01-22 14:31:57,882 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_1_8_0_161_2_b14_TLS ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
protocol: TLS
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 14:36:27,957 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 14:36:27,957 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2
INFO [main] 2021-01-22 14:36:27,957 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1, TLSv1.1, TLSv1.2
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 not offered and downgraded to a weaker protocol
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_1_8_0_161_2_b14_TLSv1_2 ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
protocol: TLSv1.2
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 14:40:51,398 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 14:40:51,398 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1.2
INFO [main] 2021-01-22 14:40:51,398 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1.2
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 not offered and downgraded to a weaker protocol
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_1_8_0_161_2_b14_TLSv1_3 ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
protocol: TLSv1.3
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 14:45:04,453 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 14:45:04,453 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1.3
INFO [main] 2021-01-22 14:45:04,454 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1.3
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 not offered
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_1_8_0_222_b10_ ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 14:50:21,956 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 14:50:21,957 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
INFO [main] 2021-01-22 14:50:21,957 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_1_8_0_222_b10_TLS ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
protocol: TLS
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 14:54:35,390 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 14:54:35,390 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2
INFO [main] 2021-01-22 14:54:35,390 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1, TLSv1.1, TLSv1.2
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 not offered and downgraded to a weaker protocol
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_1_8_0_222_b10_TLSv1_2 ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
protocol: TLSv1.2
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 14:58:48,919 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 14:58:48,919 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1.2
INFO [main] 2021-01-22 14:58:48,920 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1.2
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 not offered and downgraded to a weaker protocol
NPN/SPDY not offered
ALPN/HTTP2 not offered
=== Cluster /home/jmeredith/.ccm/c16362_1_8_0_222_b10_TLSv1_3 ===
client_encryption_options:
algorithm: SunX509
enabled: true
keystore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/127.0.0.1.jks
optional: false
protocol: TLSv1.3
require_client_auth: true
store_type: JKS
truststore:
/home/jmeredith/cassandra-medusa/tests/resources/local_with_ssl/generic-server-truststore.jks
DEBUG [main] 2021-01-22 15:02:57,010 SSLFactory.java:517 - Native transport
supported TLS protocols: SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
DEBUG [main] 2021-01-22 15:02:57,010 SSLFactory.java:519 - Native transport
unfiltered enabled TLS protocols: SSLv2Hello, TLSv1.3
INFO [main] 2021-01-22 15:02:57,010 SSLFactory.java:521 - Native transport
enabled TLS protocols: TLSv1.3
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 not offered
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
{code}
> SSLFactory should initialize SSLContext before setting protocols
> ----------------------------------------------------------------
>
> Key: CASSANDRA-16362
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16362
> Project: Cassandra
> Issue Type: Bug
> Components: Tool/bulk load
> Reporter: Erik Merkle
> Assignee: Jon Meredith
> Priority: Normal
> Fix For: 4.0-beta5
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Trying to use sstableloader from the latest trunk produced the following
> Exception:
> {quote}
> Exception in thread "main" java.lang.RuntimeException: Could not create SSL
> Context.
> at
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:261)
> at org.apache.cassandra.tools.BulkLoader.load(BulkLoader.java:64)
> at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:49)
> Caused by: java.io.IOException: Error creating/initializing the SSL Context
> at
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:184)
> at
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:257)
> ... 2 more
> Caused by: java.lang.IllegalStateException: SSLContext is not initialized
> at
> sun.security.ssl.SSLContextImpl.engineGetSocketFactory(SSLContextImpl.java:208)
> at javax.net.ssl.SSLContextSpi.getDefaultSocket(SSLContextSpi.java:158)
> at
> javax.net.ssl.SSLContextSpi.engineGetDefaultSSLParameters(SSLContextSpi.java:184)
> at javax.net.ssl.SSLContext.getDefaultSSLParameters(SSLContext.java:435)
> at
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:178)
> ... 3 more
> {quote}
> I believe this is because of a change to SSLFactory for CASSANDRA-13325 here:
> [https://github.com/apache/cassandra/commit/919a8964a83511d96766c3e53ba603e77bca626c#diff-0d569398cfd58566fc56bfb80c971a72afe3f392addc2df731a0b44baf29019eR177-R178]
>
> I think the solution is to call {{ctx.init()}} before trying to call
> {{ctx.getDefaultSSLParameters()}}, essentialy swapping the two lines in the
> link above.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
