I did take a look into the source code of 3.11, but I believe the code is more 
or less the same. 
The SSL code makes use of Java SSL Sockets so you can limit the protocols in 
the "Java way". 
The java way (at least for a recent Java 8) is to setup the protocols in the 
<jre>/lib/security/java.security file. 
Or to define a system property on the command line (-Dhttps.protocols = 

There are multiple options for SSL configuration in the config 
The most interesting one in your situation would be the cipher_suites option, 
which allows you 
to limit the avaliable cipher suites e.g. to 
(which is a TLS1.2-only cipher suite). 

You can check the offered protocols for your server with an open source tool 
like sslyze (https://github.com/nabla-c0d3/sslyze) 

Marcus Haarmann 

Von: "Lou DeGenaro" <lou.degen...@gmail.com> 
An: "user" <user@cassandra.apache.org> 
Gesendet: Dienstag, 24. April 2018 11:21:06 
Betreff: Re: How to configure Cassandra to NOT use SSLv2? 

Can someone please can tell me how to prevent Cassandra 3.0.9 from using SSLv2? 
Happy to use a newer version of Cassandra if that's what's required. 

On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro < [ mailto:lou.degen...@gmail.com 
| lou.degen...@gmail.com ] > wrote: 


On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler < [ 
mailto:mich...@pbandjelly.org | mich...@pbandjelly.org ] > wrote: 

On 04/20/2018 08:46 AM, Lou DeGenaro wrote: 
> Could you be more specific? What does one specify exactly to assure 
> SSLv2 is not used for both client-server and server-server 
> communications? Example yaml statements would be wonderful. 

The defaults in cassandra.yaml have only TLS specified in the current 
branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit. 
It's possible you may be on something older - what version are we 
talking about? 


To unsubscribe, e-mail: [ mailto:user-unsubscr...@cassandra.apache.org | 
user-unsubscr...@cassandra.apache.org ] 
For additional commands, e-mail: [ mailto:user-h...@cassandra.apache.org | 
user-h...@cassandra.apache.org ] 


Reply via email to