[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[
https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16408499#comment-16408499
]
Dinesh Joshi commented on CASSANDRA-14314:
--
[~jasobrown] a few comments -
* {{SSLFactory}} line 327 info message should read - "SSL certificates have
been updated. Reseting the ssl contexts for new connections.". Please drop the
word "peer".
* {{HotReloadableFile}} we can get rid of {{isServer}} and {{isClient}} methods
and associated code as we're not making any distinctions any more.
Rest looks good.
> Fix argument passing for SSLContext in trunk
>
>
> Key: CASSANDRA-14314
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14314
> Project: Cassandra
> Issue Type: Bug
>Reporter: Dinesh Joshi
>Assignee: Dinesh Joshi
>Priority: Major
> Labels: security
>
> Argument passing has a minor bug while creating the SSLContext. Audit and
> make sure that the client & server SSL contexts are created at appropriate
> locations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[
https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16408405#comment-16408405
]
Jason Brown commented on CASSANDRA-14314:
-
I've made a few changes to [~djoshi3]'s branch, which was a great step in the
right direction, and pushed up to my repo:
||sslfactory||
|[branch|https://github.com/jasobrown/cassandra/tree/fix-args-to-sslfactory]|
|[utests &
dtests|https://circleci.com/gh/jasobrown/workflows/cassandra/tree/fix-args-to-sslfactory]|
- I renamed {{ConnectionType.CLIENT}} to {{ConnectionType.NATIVE_PROTOCOL}}
(and {{ConnectionType.PEER}} to {{ConnectionType.INTERNODE_MESSAGING}}) as it
was just confusing to me what 'client' vs 'server' really meant. The change
ends up reading very well, especially at call sites.
- as a petty readability change, I replaced
{{SSLFactory.HotReloadableFile.Type}} with {{ConnectionType}}.
- {{SSLFactory.CacheKey}} - I moved the {{equals}}/{{hashCode}} logic for
{{EncryptionOptions}} fields into {{equals}}/{{hashCode}} functions on
{{EncryptionOptions}} itself.
- {{Server}} - {{ConnectionType}} should be {{CLIENT}} (now
{{NATIVE_PROTOCOL}}) as this is where we start the server-side of the
client-facing native protocol.
- {{NettyFactory.OutboundInitializer.initChannel}} - {{ConnectionType}} should
be {{PEER}} (now {{INTERNODE_MESSAGING}}) as this is where we start the
client-side of a internode messaging connection.
- {{SSLFactory.getSslContext}} - when {{cachedSslContexts.putIfAbsent}} is
called, if the value is not null, we should return that value rather than using
the instance we just created. That way we reuse the 'winning' context.
- {{SSLFactory.createNettySslContext}} - I'm not sure we need to check if
{{options.enabled}}. Actually, I'm not sure if there's a strong argument for
why we should ever not load the keystore. In 3.0, we always loaded the
keystore. wdyt?
- Last, while I can't (or don't want to) rename the yaml properties
({{client_encryption_options}}/{{server_encryption_options}}), I can clean up
the code that refers to them. Hence, in DD I've changed
{{getServerEncryptionOptions}} to {{getInternodeMessagingEncryptonOptions}} and
so on. This make the call sites to get that data more obvious, as well. This
change is not a requirement for this patch, but helps clarify the code.
> Fix argument passing for SSLContext in trunk
>
>
> Key: CASSANDRA-14314
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14314
> Project: Cassandra
> Issue Type: Bug
>Reporter: Dinesh Joshi
>Assignee: Dinesh Joshi
>Priority: Major
> Labels: security
>
> Argument passing has a minor bug while creating the SSLContext. Audit and
> make sure that the client & server SSL contexts are created at appropriate
> locations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16403810#comment-16403810 ] Dinesh Joshi commented on CASSANDRA-14314: -- Squashed the commit - b9836dc07560ffa03eb6fb3902a2d96c3ff5715e > Fix argument passing for SSLContext in trunk > > > Key: CASSANDRA-14314 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14314 > Project: Cassandra > Issue Type: Bug >Reporter: Dinesh Joshi >Assignee: Dinesh Joshi >Priority: Major > > Argument passing has a minor bug while creating the SSLContext. Audit and > make sure that the client & server SSL contexts are created at appropriate > locations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16403793#comment-16403793 ] Dinesh Joshi commented on CASSANDRA-14314: -- ||sslfactory|| |[branch|https://github.com/dineshjoshi/cassandra/tree/fix-args-to-sslfactory]| |[utests dtests|https://circleci.com/gh/dineshjoshi/workflows/cassandra/tree/fix-args-to-sslfactory]| || > Fix argument passing for SSLContext in trunk > > > Key: CASSANDRA-14314 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14314 > Project: Cassandra > Issue Type: Bug >Reporter: Dinesh Joshi >Assignee: Dinesh Joshi >Priority: Major > > Argument passing has a minor bug while creating the SSLContext. Audit and > make sure that the client & server SSL contexts are created at appropriate > locations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[
https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16403296#comment-16403296
]
Dinesh Joshi commented on CASSANDRA-14314:
--
Hi [~jasobrown], I have updated the branch with a bunch of changes. Here's a
short rundown of the changes -
# Removed the {{serverSslContext}} and {{clientSslContext}} {{AtomicReference}}
# Introduced a new field {{SocketType}} - so now you can create a combination
of (PEER, CLIENT) \{{ConnectionType}} and (SERVER, CLIENT) {{SocketType}}
# Netty SSL contexts are cached in a {{ConcurrentHashMap}}. I haven't
currently implemented any strategy to prune or reset this map. My expectation
is in the steady state this map should not grow.
# Hot reloading is updated to use this map.
> Fix argument passing for SSLContext in trunk
>
>
> Key: CASSANDRA-14314
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14314
> Project: Cassandra
> Issue Type: Bug
>Reporter: Dinesh Joshi
>Assignee: Dinesh Joshi
>Priority: Major
>
> Argument passing has a minor bug while creating the SSLContext. Audit and
> make sure that the client & server SSL contexts are created at appropriate
> locations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[
https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16400953#comment-16400953
]
Jason Brown commented on CASSANDRA-14314:
-
[~djoshi3] and I spoke offline about this, and we uncovered some futher
incorrectness with {{SSLFactory.getSslContext()}}. We'll have an updated patch
soon.
> Fix argument passing for SSLContext in trunk
>
>
> Key: CASSANDRA-14314
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14314
> Project: Cassandra
> Issue Type: Bug
>Reporter: Dinesh Joshi
>Assignee: Dinesh Joshi
>Priority: Major
>
> Argument passing has a minor bug while creating the SSLContext. Audit and
> make sure that the client & server SSL contexts are created at appropriate
> locations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-14314) Fix argument passing for SSLContext in trunk
[ https://issues.apache.org/jira/browse/CASSANDRA-14314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16399929#comment-16399929 ] Dinesh Joshi commented on CASSANDRA-14314: -- [~jasobrown] - please review. ||sslfactory|| |[branch|https://github.com/dineshjoshi/cassandra/tree/fix-args-to-sslfactory]| |[utests dtests|https://circleci.com/gh/dineshjoshi/workflows/cassandra/tree/fix-args-to-sslfactory]| || > Fix argument passing for SSLContext in trunk > > > Key: CASSANDRA-14314 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14314 > Project: Cassandra > Issue Type: Bug >Reporter: Dinesh Joshi >Assignee: Dinesh Joshi >Priority: Major > > Argument passing has a minor bug while creating the SSLContext. Audit and > make sure that the client & server SSL contexts are created at appropriate > locations. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
