[
https://issues.apache.org/jira/browse/CASSANDRA-17367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17498891#comment-17498891
]
Brandon Williams edited comment on CASSANDRA-17367 at 2/28/22, 1:37 PM:
------------------------------------------------------------------------
I think we're covering the non-SSL case in [these
tests|https://github.com/apache/cassandra/blob/trunk/test/unit/org/apache/cassandra/io/sstable/SSTableLoaderTest.java#L127].
bq. the original test is using legacy sstables and now we'd be removing that
That is still a concern. I think we could just go back to legacy here, so we
end up with legacy/ssl and current/non-ssl test configurations.
bq. Like we had to support both ways
Hmm, I'm not sure if I recall something about this, but it doesn't really make
sense... if you don't specify encryption settings, you can't expect it to work
with SSL, but if you do specify it, you want it to work with either SSL or not?
I'm ok with saying explicit is better than implicit here.
was (Author: brandon.williams):
I think we're covering the non-SSL case in [these
tests|https://github.com/apache/cassandra/blob/trunk/test/unit/org/apache/cassandra/io/sstable/SSTableLoaderTest.java#L127].
bq. the original test is using legacy sstables and now we'd be removing that
That is still a concern. I think we can just go back to legacy here, so we end
up with legacy/ssl and current/non-ssl test configurations.
> sstableloader ignores streaming encryption settings
> ---------------------------------------------------
>
> Key: CASSANDRA-17367
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17367
> Project: Cassandra
> Issue Type: Bug
> Components: Tool/bulk load
> Reporter: Dmitry Potepalov
> Assignee: Dmitry Potepalov
> Priority: Normal
> Fix For: 4.0.x, 4.x
>
> Attachments: 17367-4.0.txt, 17367-trunk.txt
>
>
> Reproducible in Cassandra 4.x. If one configures encryption for streaming in
> config yaml fed to sstableloader like this
> {{server_encryption_options:}}
> {{ internode_encryption: all}}
> {{ keystore: sstableloader.keystore.p12}}
> {{ keystore_password: changeit}}
> {{ truststore: sstableloader.truststore.jks}}
> {{ truststore_password: changeit}}
> then sstableloader should perform an SSL handshake on the streaming
> connections and encrypt the payload. But this does not happen. Judging by the
> TCPdump of the outgoing traffic on the internode port, sstableloader sends
> plaintext traffic. This is the TCP payload of the first packet that
> sstableloader sends after establishing TCP connection:
> {{ca 55 2d fa 0c 0c 0c 08 06 0a f0 01 f9 1b 58 a8 32 f2 d0}}
> The first 4 bytes look like Cassandra protocol magic, not like a client hello.
> I've discovered the issue while trying to migrate some data to a Cassandra 4
> listening on the legacy ssl storage port (therefore, accepting only encrypted
> connections on that port). Streaming phase of the migration failed with a
> "connection closed" error, which hints that the connection was closed
> server-side.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
