Jon Meredith created CASSANDRA-18681:
----------------------------------------
Summary: Internode legacy SSL storage port certificate is not hot
reloaded on update
Key: CASSANDRA-18681
URL: https://issues.apache.org/jira/browse/CASSANDRA-18681
Project: Cassandra
Issue Type: Bug
Components: Messaging/Internode
Reporter: Jon Meredith
In CASSANDRA-16666 the SSLContext cache was changed to clear individual
{{EncryptionOptions}} from the SslContext cache if they needed reloading to
reduce resource consumption. Before the change if ANY cert needed hot
reloading, the SSLContext cache would be cleared for ALL certs.
If the legacy SSL storage port is configured, a new {{EncryptionOptions}}
object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}}
just for binding the socket, but never gets cleared as the change in port means
it no longer matches the configuration retrieved from {{DatabaseDescriptor}} in
{{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}.
This is unlikely to be an issue in practice as the legacy SSL internode socket
is only used in mixed version clusters with pre-4.0 nodes, so the cert only
needs to stay valid until all nodes upgrade to 4.x or above.
One way to avoid this class of failures is to just check the entries present in
the SSLContext cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
