[
https://issues.apache.org/jira/browse/CASSANDRA-17365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517407#comment-17517407
]
Stefan Miklosovic edited comment on CASSANDRA-17365 at 4/5/22 12:28 PM:
------------------------------------------------------------------------
[~bschoeni] would you mind to update the documentation? that version field in
[ssl] section will not exist anymore and docs need to reflect that. Tell me if
this is "too much" for you and I ll get it done.
We should also emit some warning when people are still using these properties
telling them that what they are trying to set is not relevant and it is
autonegotiated and that it will be removed in the next release completely.
(the warning).
was (Author: smiklosovic):
[~bschoeni] would you mind to update the documentation? that version field in
[ssl] section will not exist anymore and docs need to reflect that. Tell me if
this is "too much" for you and I ll get it done.
> Remove deprecated version specific TLS in CQLSH
> -----------------------------------------------
>
> Key: CASSANDRA-17365
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17365
> Project: Cassandra
> Issue Type: Task
> Components: CQL/Interpreter
> Reporter: Brad Schoening
> Assignee: Brad Schoening
> Priority: Normal
> Fix For: 4.x
>
>
> According to [https://docs.python.org/3/library/ssl.html] use of explicit TLS
> versions v1, v1_1 and v1_2 has been deprecated in Python 3.6+ in favor of
> auto-negotiation of the highest protocol version that both the client and
> server support.
> * {{{}ssl.{}}}{{{}PROTOCOL_TLSv1{}}}
> * {{{}ssl.{}}}{{{}PROTOCOL_TLSv1_1{}}}
> * {{{}ssl.{}}}{{{}PROTOCOL_TLSv1_2{}}}
> The above are deprecated since version 3.6: OpenSSL has deprecated all
> version specific protocols.
> This affects cqlshlib/sslhandling.py and cqlshlib/test/test_sslhandling.py.
> And also config files test/config/
> {sslhandling.config, sslhandling_invalid.config}
>
> "NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL
> 3.0, TLS 1.0, and TLS 1.1 not be used"
> [https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF]
> The DataStax driver has addressed this in 3.25 with this update:
> Update security documentation and examples to use PROTOCOL_TLS (PYTHON-1264)
> [https://datastax-oss.atlassian.net/browse/PYTHON-1264]
> [https://github.com/datastax/python-driver/commit/8331eca6cc96d8bd3af2e37bc64693747515c2b6]
> This change will also remove the unit test class test_sslhandling.py which
> only tested version lookups and nothing else with ssl.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
