[jira] [Commented] (CASSANDRA-19660) Support for netty-tcnative 2.0.62+

Mon, 27 May 2024 10:49:05 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-19660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17849797#comment-17849797
 ] 

Zbyszek Z commented on CASSANDRA-19660:
---------------------------------------

Infact it seems c* 4.1.4 will run 2.0.65 just fine with openssl FIPS version. 
However, it seems to take advantage (?) of FIPS module in openssl, the 
fipsModeSet(int) need to be passed to the library. Currently i think cassandra 
have no way of configure that.

so something like that (untested/dirty/example), should be added to cassandra 
tcnative handler:
{code:java}
import io.netty.internal.tcnative.SSL;public class NettyFipsConfigurator {
    public static void main(String[] args) {
        // Read the enableFipsMode system property
        String enableFipsProperty = System.getProperty("enableFipsMode", "0");
        boolean enableFips = "1".equals(enableFipsProperty);        // Set FIPS 
mode
        int result = SSL.fipsModeSet(enableFips);
        if (result == 0) {
            System.out.println("FIPS mode " + (enableFips ? "enabled" : 
"disabled") + " successfully.");
        } else {
            System.err.println("Failed to " + (enableFips ? "enable" : 
"disable") + " FIPS mode. Error code: " + result);
        }
    }
} {code}
since i do not know c* code, i am not sure how/where similar code should be 
added to handle option for this.

> Support for netty-tcnative 2.0.62+
> ----------------------------------
>
>                 Key: CASSANDRA-19660
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-19660
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Zbyszek Z
>            Priority: Normal
>
> Hello,
> Are there plans to support netty-tcnative in version 2.0.62? Current version 
> 2.0.36 does not work with openssl3.x. Motivation is that openssl 3.0.9+ is 
> FIPS certified.
> Currently i am able to replace library default boringSSL implementation with 
> openssl by recompiling netty-tcnative but cassandra fails to load 2.0.62 
> regardless if it is compiled with 1.1.1 or 3.0.
> Or is there other way to implement openssl3.x ?
> Thank you



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to