[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362608#comment-16362608 ] Jason Brown commented on CASSANDRA-13259: - bq. I'd suggest to commit this to trunk only Hmm, I think you are right here - not only for the yaml change, but silently swapping part of the SSL implementation during a minor is not cool (without a legitimately good reason). So, +1 to the patch and removing the yaml entry for trunk only. > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement > Components: Configuration >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > Fix For: 4.x > > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362506#comment-16362506 ] Stefan Podkowinski commented on CASSANDRA-13259: Lets then remove it from the yaml but keep it in EncryptionOptions. I'd suggest to commit this to trunk only, as this is not a bug fix and the value can be explicitly set in the yaml, in the hypothetical case SunX509 is getting pulled from future JVM releases. > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement > Components: Configuration >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > Fix For: 4.x > > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[
https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362438#comment-16362438
]
Jason Brown commented on CASSANDRA-13259:
-
On the whole, +1. {{SunX509}} still appears in the yaml, under
{{server_encryption_options}} and {{client_encryption_options}}. I'm not sure
what the best thing to do here is. We could:
- remove the {{algorithm}} property altogether from the yaml - yet leave it in
the {{EncryptionOptions}} in case somebody actually has a custom algo
implmentation (highly doubtful, but it costs us nothing to keep it)
- remove {{SunX509}} as the value of the property, although this might confuse
an operator to see an empty prop value and they may try to shove something in
the attempt to make it happy (even though they don't need it)
- replace {{SunX509}} with whatever the new default algo name is (I couldn't
find it with a naive, 30 second search), although this may, at some distant
future date, get us into the same situation we are in now.
I'm mildly in favor of the first option. wdyt?
> Use platform specific X.509 default algorithm
> -
>
> Key: CASSANDRA-13259
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13259
> Project: Cassandra
> Issue Type: Improvement
> Components: Configuration
>Reporter: Stefan Podkowinski
>Assignee: Stefan Podkowinski
>Priority: Minor
> Fix For: 4.x
>
>
> We should replace the hardcoded "SunX509" default algorithm and use the JRE
> default instead. This implementation will currently not work on less popular
> platforms (e.g. IBM) and won't get any further updates.
> See also:
> https://bugs.openjdk.java.net/browse/JDK-8169745
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362330#comment-16362330 ] Stefan Podkowinski commented on CASSANDRA-13259: Rebased the first patch submitted when creating this ticket: ||trunk|| |[branch|https://github.com/spodkowinski/cassandra/tree/CASSANDRA-13259-trunk]| |[dtest|https://builds.apache.org/view/A-D/view/Cassandra/job/Cassandra-devbranch-dtest/494/]| |[unit_tests|https://circleci.com/gh/spodkowinski/cassandra/223]| > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement > Components: Configuration >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > Fix For: 4.x > > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[
https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16352927#comment-16352927
]
Jason Brown commented on CASSANDRA-13259:
-
Circling back to this, I'd like to just reduce the scope back to the original
intent of this ticket (update {{server_encryption_options/algorithm}}) to the
new default, and leave the discussion of other yaml props to CASSANDRA-13314.
That way we can commit this one and get it out of the way. wdyt,
[~spo...@gmail.com]? We still need an {{alogrithm}} parameter after
CASSANDRA-8457/CASSANDRA-10404 as we need it when building the
[{{TrustManagerFactory}}|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/SSLFactory.java#L108]
and
[{{KeyManagerFactory}}|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/SSLFactory.java#L124]
in {{SSLFactory}}.
> Use platform specific X.509 default algorithm
> -
>
> Key: CASSANDRA-13259
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13259
> Project: Cassandra
> Issue Type: Improvement
> Components: Configuration
>Reporter: Stefan Podkowinski
>Assignee: Stefan Podkowinski
>Priority: Minor
> Fix For: 4.x
>
>
> We should replace the hardcoded "SunX509" default algorithm and use the JRE
> default instead. This implementation will currently not work on less popular
> platforms (e.g. IBM) and won't get any further updates.
> See also:
> https://bugs.openjdk.java.net/browse/JDK-8169745
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[
https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15905828#comment-15905828
]
Jason Brown commented on CASSANDRA-13259:
-
wrt {{store_type}}, can java8 correctly figure out the difference between a
PKCS12 and JKS? Further, what if somebody went bananas and used a JCEKS (I'm
not totally sure this case applies to TLS)? I agree with you that one declared
{{store_type}} is not correct for all situations (covering both the key and
trust stores), but that leads us logically to having a separate {{store_type}}
config option for both keystore and truststore. The {{javax.net.ssl.*}} allow a
differentiation of the store types, but see next paragraph.
wrt JVM-based properties ({{javax.net.ssl.*}}), we currently allow users to
have a different configuration for client-server and internode (peero-to-peer)
communications. By removing both options in favor of using the JVM-based
properties, operators who previously had separate configs are now forced to use
the same config for both, and I'm not sure how big of a breakage that is (in
terms of the actual number of opertators/clusters affected).
Also, I spoke with one of the netty developers, and they ignore the
{{javax.net.ssl.*}} properties. Thus I don't think the JVM-based properties is
the way to go.
> Use platform specific X.509 default algorithm
> -
>
> Key: CASSANDRA-13259
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13259
> Project: Cassandra
> Issue Type: Improvement
> Components: Configuration
>Reporter: Stefan Podkowinski
>Assignee: Stefan Podkowinski
>Priority: Minor
> Fix For: 4.x
>
>
> We should replace the hardcoded "SunX509" default algorithm and use the JRE
> default instead. This implementation will currently not work on less popular
> platforms (e.g. IBM) and won't get any further updates.
> See also:
> https://bugs.openjdk.java.net/browse/JDK-8169745
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15902763#comment-15902763 ] Stefan Podkowinski commented on CASSANDRA-13259: I'd prefer to keep discussing my latest proposal within this ticket, as I tend to get confused having to many highly related tickets and I've also just created CASSANDRA-13314 to discuss how we could go even further, after this ticket has been solved. > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement > Components: Configuration >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > Fix For: 4.x > > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15901693#comment-15901693 ] Jason Brown commented on CASSANDRA-13259: - [~spod] sounds interesting, let me check how that will work with netty/CASSANDRA-8457. It might be cool, just need to think it through > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement > Components: Configuration >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > Fix For: 4.x > > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15901306#comment-15901306 ] Robert Stupp commented on CASSANDRA-13259: -- If there isn't anything a user has or can do wrt the trust manager, then you're right that there's no need for a NEWS.txt entry. I thought this would require some change. > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement > Components: Configuration >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > Fix For: 4.x > > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15901296#comment-15901296 ] Stefan Podkowinski commented on CASSANDRA-13259: Does anyone mind if I get rid of store_type, too? The new default for Java 9 will be PKCS12 instead of JKS (http://openjdk.java.net/jeps/229). Also it's actually not a good idea in general to have a single store type and algorithm for both keystore and truststore, as I may want to use a public, global JKS store or the JVM cacerts as truststore and generate host specific keystores as PKCS12, e.g. via openssl. This is currently not possible by configuring a single store type for both. In general, advanced JSSE settings should be configured using either system properties (jvm.options) or security properties (jre/lib/security/java.security), see [here|http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization] for possible values. We should encourage this practice and be agnostic about the finer configuration details. I'd therefor like to remove the advanced settings at least from stock cassandra.yaml. See my [WIP branch|https://github.com/spodkowinski/cassandra/tree/WIP-13259] for implementation details. > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement > Components: Configuration >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > Fix For: 4.x > > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15901292#comment-15901292 ] Stefan Podkowinski commented on CASSANDRA-13259: As for the NEWS.txt entry, I'm not really sure what to report there. Effectively the only change will be that instead of the SunX509 trust manager the PKIX trust manager is now used by default (according to the linked openjdk ticket). There should be no action necessary by the user. > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement > Components: Configuration >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > Fix For: 4.x > > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15884238#comment-15884238 ] Robert Stupp commented on CASSANDRA-13259: -- One minor nit: Can you add an entry to NEWS.txt about this change? > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement > Components: Configuration >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > Fix For: 4.x > > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15884237#comment-15884237 ] Jason Brown commented on CASSANDRA-13259: - +1 > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement > Components: Configuration >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > Fix For: 4.x > > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (CASSANDRA-13259) Use platform specific X.509 default algorithm
[ https://issues.apache.org/jira/browse/CASSANDRA-13259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15882201#comment-15882201 ] Stefan Podkowinski commented on CASSANDRA-13259: ||trunk|| |[branch|https://github.com/spodkowinski/cassandra/tree/CASSANDRA-13259-trunk]| |[dtest|http://cassci.datastax.com/view/Dev/view/spodkowinski/job/spodkowinski-CASSANDRA-13259-trunk-dtest/]| |[testall|http://cassci.datastax.com/view/Dev/view/spodkowinski/job/spodkowinski-CASSANDRA-13259-trunk-testall/]| Dtest fix: https://github.com/spodkowinski/cassandra-dtest/tree/CASSANDRA-13259 > Use platform specific X.509 default algorithm > - > > Key: CASSANDRA-13259 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13259 > Project: Cassandra > Issue Type: Improvement >Reporter: Stefan Podkowinski >Assignee: Stefan Podkowinski >Priority: Minor > > We should replace the hardcoded "SunX509" default algorithm and use the JRE > default instead. This implementation will currently not work on less popular > platforms (e.g. IBM) and won't get any further updates. > See also: > https://bugs.openjdk.java.net/browse/JDK-8169745 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
