[jira] [Updated] (CASSANDRA-3278) SSLFactory should not enable cipher suites that aren't supported

Thu, 06 Oct 2011 16:47:53 -0700 

     [ 
https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vijay updated CASSANDRA-3278:
-----------------------------

    Attachment: 0001-commiting-filter-for-supported-suits.patch
                0002-commiting-changes-to-make-the-ks-ts-more-flexible.patch
                0003-expose-the-available-options-in-yaml.patch

We can also expose some of the available options so the users can choose.
                
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
>                 Key: CASSANDRA-3278
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 0.8.0
>         Environment: OpenJDK on debian squeeze
>            Reporter: George
>            Priority: Minor
>             Fix For: 0.8.8, 1.0.0
>
>         Attachments: 0001-commiting-filter-for-supported-suits.patch, 
> 0002-commiting-changes-to-make-the-ks-ts-more-flexible.patch, 
> 0003-expose-the-available-options-in-yaml.patch, cassandra-3278-cache.txt, 
> cassandra-3278-nocache.txt
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls 
> [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])]
>  with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
>     "TLS_RSA_WITH_AES_128_CBC_SHA", 
>     "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to 
> [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])]
>  fails on systems that don't have [Java Cryptography Extension (JCE) 
> Unlimited Strength Jurisdiction Policy Files 
> 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html]
>  because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in 
> SSLFactory.java should call 
> [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()]
>  to find out which of the suites specified are supported.
> Thanks,
> George

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to