[jira] [Updated] (CASSANDRA-15262) server_encryption_options is not backwards compatible with 3.11
[ https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ekaterina Dimitrova updated CASSANDRA-15262: Test and Documentation Plan: [trunk|https://github.com/apache/cassandra/compare/trunk...jolynch:CASSANDRA-15262] [dtest|https://github.com/apache/cassandra-dtest/commit/98c0be8789f1a016a1038bf3337c0fbbc8580bd6] Status: Patch Available (was: In Progress) > server_encryption_options is not backwards compatible with 3.11 > --- > > Key: CASSANDRA-15262 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15262 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Joey Lynch >Assignee: Joey Lynch >Priority: Normal > Fix For: 4.0, 4.0-alpha > > > The current `server_encryption_options` configuration options are as follows: > {noformat} > server_encryption_options: > # set to true for allowing secure incoming connections > enabled: false > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > enable_legacy_ssl_storage_port: false > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > keystore: conf/.keystore > keystore_password: cassandra > truststore: conf/.truststore > truststore_password: cassandra > # More advanced defaults below: > # protocol: TLS > # store_type: JKS > # cipher_suites: > [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] > # require_client_auth: false > # require_endpoint_verification: false > {noformat} > A couple of issues here: > 1. optional defaults to false, which will break existing TLS configurations > for (from what I can tell) no particularly good reason > 2. The provided protocol and cipher suites are not good ideas (in particular > encouraging anyone to use CBC ciphers is a bad plan > I propose that before the 4.0 cut we fixup server_encryption_options and even > client_encryption_options : > # Change the default {{optional}} setting to true. As the new Netty code > intelligently decides to open a TLS connection or not this is the more > sensible default (saves operators a step while transitioning to TLS as well) > # Update the defaults to what netty actually defaults to -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15262) server_encryption_options is not backwards compatible with 3.11
[ https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ekaterina Dimitrova updated CASSANDRA-15262: Reviewers: Benedict Elliott Smith, Ekaterina Dimitrova, Ekaterina Dimitrova (was: Benedict Elliott Smith, Ekaterina Dimitrova) Benedict Elliott Smith, Ekaterina Dimitrova, Ekaterina Dimitrova (was: Benedict Elliott Smith) Status: Review In Progress (was: Patch Available) > server_encryption_options is not backwards compatible with 3.11 > --- > > Key: CASSANDRA-15262 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15262 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Joey Lynch >Assignee: Joey Lynch >Priority: Normal > Fix For: 4.0, 4.0-alpha > > > The current `server_encryption_options` configuration options are as follows: > {noformat} > server_encryption_options: > # set to true for allowing secure incoming connections > enabled: false > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > enable_legacy_ssl_storage_port: false > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > keystore: conf/.keystore > keystore_password: cassandra > truststore: conf/.truststore > truststore_password: cassandra > # More advanced defaults below: > # protocol: TLS > # store_type: JKS > # cipher_suites: > [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] > # require_client_auth: false > # require_endpoint_verification: false > {noformat} > A couple of issues here: > 1. optional defaults to false, which will break existing TLS configurations > for (from what I can tell) no particularly good reason > 2. The provided protocol and cipher suites are not good ideas (in particular > encouraging anyone to use CBC ciphers is a bad plan > I propose that before the 4.0 cut we fixup server_encryption_options and even > client_encryption_options : > # Change the default {{optional}} setting to true. As the new Netty code > intelligently decides to open a TLS connection or not this is the more > sensible default (saves operators a step while transitioning to TLS as well) > # Update the defaults to what netty actually defaults to -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15262) server_encryption_options is not backwards compatible with 3.11
[ https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joseph Lynch updated CASSANDRA-15262: - Fix Version/s: 4.0-alpha > server_encryption_options is not backwards compatible with 3.11 > --- > > Key: CASSANDRA-15262 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15262 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Joseph Lynch >Assignee: Joseph Lynch >Priority: Normal > Fix For: 4.0, 4.0-alpha > > > The current `server_encryption_options` configuration options are as follows: > {noformat} > server_encryption_options: > # set to true for allowing secure incoming connections > enabled: false > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > enable_legacy_ssl_storage_port: false > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > keystore: conf/.keystore > keystore_password: cassandra > truststore: conf/.truststore > truststore_password: cassandra > # More advanced defaults below: > # protocol: TLS > # store_type: JKS > # cipher_suites: > [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] > # require_client_auth: false > # require_endpoint_verification: false > {noformat} > A couple of issues here: > 1. optional defaults to false, which will break existing TLS configurations > for (from what I can tell) no particularly good reason > 2. The provided protocol and cipher suites are not good ideas (in particular > encouraging anyone to use CBC ciphers is a bad plan > I propose that before the 4.0 cut we fixup server_encryption_options and even > client_encryption_options : > # Change the default {{optional}} setting to true. As the new Netty code > intelligently decides to open a TLS connection or not this is the more > sensible default (saves operators a step while transitioning to TLS as well) > # Update the defaults to what netty actually defaults to -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15262) server_encryption_options is not backwards compatible with 3.11
[ https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joseph Lynch updated CASSANDRA-15262: - Fix Version/s: 4.0 > server_encryption_options is not backwards compatible with 3.11 > --- > > Key: CASSANDRA-15262 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15262 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Joseph Lynch >Assignee: Joseph Lynch >Priority: Normal > Fix For: 4.0 > > > The current `server_encryption_options` configuration options are as follows: > {noformat} > server_encryption_options: > # set to true for allowing secure incoming connections > enabled: false > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > enable_legacy_ssl_storage_port: false > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > keystore: conf/.keystore > keystore_password: cassandra > truststore: conf/.truststore > truststore_password: cassandra > # More advanced defaults below: > # protocol: TLS > # store_type: JKS > # cipher_suites: > [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] > # require_client_auth: false > # require_endpoint_verification: false > {noformat} > A couple of issues here: > 1. optional defaults to false, which will break existing TLS configurations > for (from what I can tell) no particularly good reason > 2. The provided protocol and cipher suites are not good ideas (in particular > encouraging anyone to use CBC ciphers is a bad plan > I propose that before the 4.0 cut we fixup server_encryption_options and even > client_encryption_options : > # Change the default {{optional}} setting to true. As the new Netty code > intelligently decides to open a TLS connection or not this is the more > sensible default (saves operators a step while transitioning to TLS as well) > # Update the defaults to what netty actually defaults to -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15262) server_encryption_options is not backwards compatible with 3.11
[ https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Benedict updated CASSANDRA-15262: - Reviewers: Benedict > server_encryption_options is not backwards compatible with 3.11 > --- > > Key: CASSANDRA-15262 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15262 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Joseph Lynch >Assignee: Joseph Lynch >Priority: Normal > > The current `server_encryption_options` configuration options are as follows: > {noformat} > server_encryption_options: > # set to true for allowing secure incoming connections > enabled: false > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > enable_legacy_ssl_storage_port: false > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > keystore: conf/.keystore > keystore_password: cassandra > truststore: conf/.truststore > truststore_password: cassandra > # More advanced defaults below: > # protocol: TLS > # store_type: JKS > # cipher_suites: > [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] > # require_client_auth: false > # require_endpoint_verification: false > {noformat} > A couple of issues here: > 1. optional defaults to false, which will break existing TLS configurations > for (from what I can tell) no particularly good reason > 2. The provided protocol and cipher suites are not good ideas (in particular > encouraging anyone to use CBC ciphers is a bad plan > I propose that before the 4.0 cut we fixup server_encryption_options and even > client_encryption_options : > # Change the default {{optional}} setting to true. As the new Netty code > intelligently decides to open a TLS connection or not this is the more > sensible default (saves operators a step while transitioning to TLS as well) > # Update the defaults to what netty actually defaults to -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-15262) server_encryption_options is not backwards compatible with 3.11
[ https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joseph Lynch updated CASSANDRA-15262: - Severity: Low Complexity: Low Hanging Fruit Discovered By: Performance Regression Test Bug Category: Parent values: Correctness(12982)Level 1 values: Semantic Failure(12988) Status: Open (was: Triage Needed) > server_encryption_options is not backwards compatible with 3.11 > --- > > Key: CASSANDRA-15262 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15262 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Joseph Lynch >Assignee: Joseph Lynch >Priority: Normal > > The current `server_encryption_options` configuration options are as follows: > {noformat} > server_encryption_options: > # set to true for allowing secure incoming connections > enabled: false > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > enable_legacy_ssl_storage_port: false > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > keystore: conf/.keystore > keystore_password: cassandra > truststore: conf/.truststore > truststore_password: cassandra > # More advanced defaults below: > # protocol: TLS > # store_type: JKS > # cipher_suites: > [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] > # require_client_auth: false > # require_endpoint_verification: false > {noformat} > A couple of issues here: > 1. optional defaults to false, which will break existing TLS configurations > for (from what I can tell) no particularly good reason > 2. The provided protocol and cipher suites are not good ideas (in particular > encouraging anyone to use CBC ciphers is a bad plan > I propose that before the 4.0 cut we fixup server_encryption_options and even > client_encryption_options : > # Change the default {{optional}} setting to true. As the new Netty code > intelligently decides to open a TLS connection or not this is the more > sensible default (saves operators a step while transitioning to TLS as well) > # Update the defaults to what netty actually defaults to -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org