Dmitry Potepalov created CASSANDRA-17367:
--------------------------------------------
Summary: sstableloader ignores streaming encryption settings
Key: CASSANDRA-17367
URL: https://issues.apache.org/jira/browse/CASSANDRA-17367
Project: Cassandra
Issue Type: Bug
Reporter: Dmitry Potepalov
Reproducible in Cassandra 4.x. If one configures encryption for streaming in
config yaml fed to sstableloader like this
{{server_encryption_options:}}
{{ internode_encryption: all}}
{{ keystore: sstableloader.keystore.p12}}
{{ keystore_password: changeit}}
{{ truststore: sstableloader.truststore.jks}}
{{ truststore_password: changeit}}
then sstableloader should perform an SSL handshake on the streaming connections
and encrypt the payload. But this does not happen. Judging by the TCPdump of
the outgoing traffic on the internode port, sstableloader sends plaintext
traffic. This is the TCP payload of the first packet that sstableloader sends
after establishing TCP connection:
{{ca 55 2d fa 0c 0c 0c 08 06 0a f0 01 f9 1b 58 a8 32 f2 d0}}
The first 4 bytes look like Cassandra protocol magic, not like a client hello.
I've discovered the issue while trying to migrate some data to a Cassandra 4
listening on the legacy ssl storage port (therefore, accepting only encrypted
connections on that port). Streaming phase of the migration failed with a
"connection closed" error, which hints that the connection was closed
server-side.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
