Jacek Lewandowski created CASSANDRA-11532:
---------------------------------------------
Summary: CqlConfigHelper requires both truststore and keystore to
work with SSL encryption
Key: CASSANDRA-11532
URL: https://issues.apache.org/jira/browse/CASSANDRA-11532
Project: Cassandra
Issue Type: Bug
Reporter: Jacek Lewandowski
Assignee: Jacek Lewandowski
{{CqlConfigHelper}} configures SSL in the following way:
{code:java}
public static Optional<SSLOptions> getSSLOptions(Configuration conf)
{
Optional<String> truststorePath = getInputNativeSSLTruststorePath(conf);
Optional<String> keystorePath = getInputNativeSSLKeystorePath(conf);
Optional<String> truststorePassword =
getInputNativeSSLTruststorePassword(conf);
Optional<String> keystorePassword =
getInputNativeSSLKeystorePassword(conf);
Optional<String> cipherSuites = getInputNativeSSLCipherSuites(conf);
if (truststorePath.isPresent() && keystorePath.isPresent() &&
truststorePassword.isPresent() && keystorePassword.isPresent())
{
SSLContext context;
try
{
context = getSSLContext(truststorePath.get(),
truststorePassword.get(), keystorePath.get(), keystorePassword.get());
}
catch (UnrecoverableKeyException | KeyManagementException |
NoSuchAlgorithmException | KeyStoreException |
CertificateException | IOException e)
{
throw new RuntimeException(e);
}
String[] css = null;
if (cipherSuites.isPresent())
css = cipherSuites.get().split(",");
return Optional.of(JdkSSLOptions.builder()
.withSSLContext(context)
.withCipherSuites(css)
.build());
}
return Optional.absent();
}
{code}
which forces you to connect only to trusted nodes and client authentication.
This should be made more flexible so that at least client authentication is
optional.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
