[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16408499#comment-16408499 ] Dinesh Joshi commented on CASSANDRA-14314: -- [~jasobrown] a few comments - * {{SSLFactory}} line 327 info message should read - "SSL certificates have been updated. Reseting the ssl contexts for new connections.". Please drop the word "peer". * {{HotReloadableFile}} we can get rid of {{isServer}} and {{isClient}} methods and associated code as we're not making any distinctions any more. Rest looks good. > Fix argument passing for SSLContext in trunk > > > Key: CASSANDRA-14314 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14314 > Project: Cassandra > Issue Type: Bug >Reporter: Dinesh Joshi >Assignee: Dinesh Joshi >Priority: Major > Labels: security > > Argument passing has a minor bug while creating the SSLContext. Audit and > make sure that the client & server SSL contexts are created at appropriate > locations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16408405#comment-16408405 ] Jason Brown commented on CASSANDRA-14314: - I've made a few changes to [~djoshi3]'s branch, which was a great step in the right direction, and pushed up to my repo: ||sslfactory|| |[branch|https://github.com/jasobrown/cassandra/tree/fix-args-to-sslfactory]| |[utests & dtests|https://circleci.com/gh/jasobrown/workflows/cassandra/tree/fix-args-to-sslfactory]| - I renamed {{ConnectionType.CLIENT}} to {{ConnectionType.NATIVE_PROTOCOL}} (and {{ConnectionType.PEER}} to {{ConnectionType.INTERNODE_MESSAGING}}) as it was just confusing to me what 'client' vs 'server' really meant. The change ends up reading very well, especially at call sites. - as a petty readability change, I replaced {{SSLFactory.HotReloadableFile.Type}} with {{ConnectionType}}. - {{SSLFactory.CacheKey}} - I moved the {{equals}}/{{hashCode}} logic for {{EncryptionOptions}} fields into {{equals}}/{{hashCode}} functions on {{EncryptionOptions}} itself. - {{Server}} - {{ConnectionType}} should be {{CLIENT}} (now {{NATIVE_PROTOCOL}}) as this is where we start the server-side of the client-facing native protocol. - {{NettyFactory.OutboundInitializer.initChannel}} - {{ConnectionType}} should be {{PEER}} (now {{INTERNODE_MESSAGING}}) as this is where we start the client-side of a internode messaging connection. - {{SSLFactory.getSslContext}} - when {{cachedSslContexts.putIfAbsent}} is called, if the value is not null, we should return that value rather than using the instance we just created. That way we reuse the 'winning' context. - {{SSLFactory.createNettySslContext}} - I'm not sure we need to check if {{options.enabled}}. Actually, I'm not sure if there's a strong argument for why we should ever not load the keystore. In 3.0, we always loaded the keystore. wdyt? - Last, while I can't (or don't want to) rename the yaml properties ({{client_encryption_options}}/{{server_encryption_options}}), I can clean up the code that refers to them. Hence, in DD I've changed {{getServerEncryptionOptions}} to {{getInternodeMessagingEncryptonOptions}} and so on. This make the call sites to get that data more obvious, as well. This change is not a requirement for this patch, but helps clarify the code. > Fix argument passing for SSLContext in trunk > > > Key: CASSANDRA-14314 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14314 > Project: Cassandra > Issue Type: Bug >Reporter: Dinesh Joshi >Assignee: Dinesh Joshi >Priority: Major > Labels: security > > Argument passing has a minor bug while creating the SSLContext. Audit and > make sure that the client & server SSL contexts are created at appropriate > locations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16403810#comment-16403810 ] Dinesh Joshi commented on CASSANDRA-14314: -- Squashed the commit - b9836dc07560ffa03eb6fb3902a2d96c3ff5715e > Fix argument passing for SSLContext in trunk > > > Key: CASSANDRA-14314 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14314 > Project: Cassandra > Issue Type: Bug >Reporter: Dinesh Joshi >Assignee: Dinesh Joshi >Priority: Major > > Argument passing has a minor bug while creating the SSLContext. Audit and > make sure that the client & server SSL contexts are created at appropriate > locations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16403793#comment-16403793 ] Dinesh Joshi commented on CASSANDRA-14314: -- ||sslfactory|| |[branch|https://github.com/dineshjoshi/cassandra/tree/fix-args-to-sslfactory]| |[utests dtests|https://circleci.com/gh/dineshjoshi/workflows/cassandra/tree/fix-args-to-sslfactory]| || > Fix argument passing for SSLContext in trunk > > > Key: CASSANDRA-14314 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14314 > Project: Cassandra > Issue Type: Bug >Reporter: Dinesh Joshi >Assignee: Dinesh Joshi >Priority: Major > > Argument passing has a minor bug while creating the SSLContext. Audit and > make sure that the client & server SSL contexts are created at appropriate > locations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16403296#comment-16403296 ] Dinesh Joshi commented on CASSANDRA-14314: -- Hi [~jasobrown], I have updated the branch with a bunch of changes. Here's a short rundown of the changes - # Removed the {{serverSslContext}} and {{clientSslContext}} {{AtomicReference}} # Introduced a new field {{SocketType}} - so now you can create a combination of (PEER, CLIENT) \{{ConnectionType}} and (SERVER, CLIENT) {{SocketType}} # Netty SSL contexts are cached in a {{ConcurrentHashMap}}. I haven't currently implemented any strategy to prune or reset this map. My expectation is in the steady state this map should not grow. # Hot reloading is updated to use this map. > Fix argument passing for SSLContext in trunk > > > Key: CASSANDRA-14314 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14314 > Project: Cassandra > Issue Type: Bug >Reporter: Dinesh Joshi >Assignee: Dinesh Joshi >Priority: Major > > Argument passing has a minor bug while creating the SSLContext. Audit and > make sure that the client & server SSL contexts are created at appropriate > locations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16400953#comment-16400953 ] Jason Brown commented on CASSANDRA-14314: - [~djoshi3] and I spoke offline about this, and we uncovered some futher incorrectness with {{SSLFactory.getSslContext()}}. We'll have an updated patch soon. > Fix argument passing for SSLContext in trunk > > > Key: CASSANDRA-14314 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14314 > Project: Cassandra > Issue Type: Bug >Reporter: Dinesh Joshi >Assignee: Dinesh Joshi >Priority: Major > > Argument passing has a minor bug while creating the SSLContext. Audit and > make sure that the client & server SSL contexts are created at appropriate > locations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16399929#comment-16399929 ] Dinesh Joshi commented on CASSANDRA-14314: -- [~jasobrown] - please review. ||sslfactory|| |[branch|https://github.com/dineshjoshi/cassandra/tree/fix-args-to-sslfactory]| |[utests dtests|https://circleci.com/gh/dineshjoshi/workflows/cassandra/tree/fix-args-to-sslfactory]| || > Fix argument passing for SSLContext in trunk > > > Key: CASSANDRA-14314 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14314 > Project: Cassandra > Issue Type: Bug >Reporter: Dinesh Joshi >Assignee: Dinesh Joshi >Priority: Major > > Argument passing has a minor bug while creating the SSLContext. Audit and > make sure that the client & server SSL contexts are created at appropriate > locations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org