Re: cqlsh error after enabling encryption

[Les Hazlewood]

bump.  Any ideas?  We're seeing the same issue on 2.0 as well.

Thanks!

On Tue, Sep 3, 2013 at 2:20 PM, David Laube d...@stormpath.com wrote:
 Hi All,

 After enabling encryption on our Cassandra 1.2.8 nodes, we receiving the
 error Connection error: TSocket read 0 bytes while attempting to use CQLsh
 to talk to the ring. I've followed the docs over at
 http://www.datastax.com/documentation/cassandra/1.2/webhelp/cassandra/security/secureCqlshSSL_t.html
 but can't seem to figure out why this isn't working. Inter-node
 communication seems to be working properly since nodetool status shows our
 nodes as up, but the CQLsh client is unable to talk to a single node or any
 node in the cluster (specifying the IP in .cqlshrc or on the CLI) for some
 reason. I'm providing the applicable config file entries below for review.
 Any insight or suggestions would be greatly appreciated! :)



 My ~/.cqlshrc file:
 

 [connection]
 hostname = 127.0.0.1
 port = 9160
 factory = cqlshlib.ssl.ssl_transport_factory

 [ssl]
 certfile = /etc/cassandra/conf/cassandra_client.crt
 validate = true ## Optional, true by default.

 [certfiles] ## Optional section, overrides the default certfile in the [ssl]
 section.
 192.168.1.3 = ~/keys/cassandra01.cert
 192.168.1.4 = ~/keys/cassandra02.cert
 



 Our cassandra.yaml file config blocks:
 
 …snip…

 server_encryption_options:
 internode_encryption: all
 keystore: /etc/cassandra/conf/.keystore
 keystore_password: yeah-right
 truststore: /etc/cassandra/conf/.truststore
 truststore_password: yeah-right
 # More advanced defaults below:
 # protocol: TLS
 # algorithm: SunX509
 # store_type: JKS
 # cipher_suites:
 [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
 # require_client_auth: false

 # enable or disable client/server encryption.
 client_encryption_options:
 enabled: true
 keystore: /etc/cassandra/conf/.keystore
 keystore_password: yeah-right
 # require_client_auth: false
 # Set trustore and truststore_password if require_client_auth is true
 # truststore: conf/.truststore
 # truststore_password: cassandra
 # More advanced defaults below:
 protocol: TLS
 algorithm: SunX509
 store_type: JKS
 cipher_suites:
 [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]

 …snip...
 




 Thanks,
 -David Laube

cqlsh error after enabling encryption

[David Laube]

Hi All,

After enabling encryption on our Cassandra 1.2.8 nodes, we receiving the error 
Connection error: TSocket read 0 bytes while attempting to use CQLsh to talk 
to the ring. I've followed the docs over at 
http://www.datastax.com/documentation/cassandra/1.2/webhelp/cassandra/security/secureCqlshSSL_t.html
 but can't seem to figure out why this isn't working. Inter-node communication 
seems to be working properly since nodetool status shows our nodes as up, but 
the CQLsh client is unable to talk to a single node or any node in the cluster 
(specifying the IP in .cqlshrc or on the CLI) for some reason. I'm providing 
the applicable config file entries below for review. Any insight or suggestions 
would be greatly appreciated! :)



My ~/.cqlshrc file:


[connection]
hostname = 127.0.0.1
port = 9160
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = /etc/cassandra/conf/cassandra_client.crt
validate = true ## Optional, true by default.

[certfiles] ## Optional section, overrides the default certfile in the [ssl] 
section.
192.168.1.3 = ~/keys/cassandra01.cert
192.168.1.4 = ~/keys/cassandra02.cert




Our cassandra.yaml file config blocks:

…snip…

server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/conf/.keystore
keystore_password: yeah-right
truststore: /etc/cassandra/conf/.truststore
truststore_password: yeah-right
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
# require_client_auth: false

# enable or disable client/server encryption.
client_encryption_options:
enabled: true
keystore: /etc/cassandra/conf/.keystore
keystore_password: yeah-right
# require_client_auth: false
# Set trustore and truststore_password if require_client_auth is true
# truststore: conf/.truststore
# truststore_password: cassandra
# More advanced defaults below:
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]

…snip...





Thanks,
-David Laube