OK, this is IBM JDK. The options might differ. I have been searching for Oracle Java options. You will need to consult the IBM documentation in this case.
Marcus Haarmann Von: "Lou DeGenaro" <[email protected]> An: "user" <[email protected]> Gesendet: Dienstag, 24. April 2018 16:08:06 Betreff: Re: How to configure Cassandra to NOT use SSLv2? Thanks for your suggestions. I tried using the -D shown below: degenaro@bluej421:/users/degenaro/cassandra/bluej421> ./bin/cassandra degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl --interleave=all /share/ibm-jdk1.8/bin/java -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello -Xloggc:./bin/../logs/gc.log -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000... ... WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by the socket Exception (java.lang.IllegalArgumentException) encountered during startup: SSLv2Hello is not a recognized protocol. java.lang.IllegalArgumentException: SSLv2Hello is not a recognized protocol. at com.ibm.jsse2.S.a(S.java:112) at com.ibm.jsse2.S.b(S.java:136) at com.ibm.jsse2.S.<init>(S.java:177) at com.ibm.jsse2.as.setEnabledProtocols(as.java:2) at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:67) at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:514) at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:498) at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:482) at org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:765) at org.apache.cassandra.service.StorageService.initServer(StorageService.java:654) at org.apache.cassandra.service.StorageService.initServer(StorageService.java:534) at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:344) at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:568) at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:696) ERROR 14:01:09 Exception encountered during startup java.lang.IllegalArgumentException: SSLv2Hello is not a recognized protocol. Who is at fault: user, Cassandra, JVM, OS? Thanks. Lou. On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann < [ mailto:[email protected] | [email protected] ] > wrote: BQ_BEGIN Hi, I did take a look into the source code of 3.11, but I believe the code is more or less the same. The SSL code makes use of Java SSL Sockets so you can limit the protocols in the "Java way". The java way (at least for a recent Java 8) is to setup the protocols in the <jre>/lib/security/java.security file. Or to define a system property on the command line (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello). There are multiple options for SSL configuration in the config ( [ https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html | https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html ] ) The most interesting one in your situation would be the cipher_suites option, which allows you to limit the avaliable cipher suites e.g. to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (which is a TLS1.2-only cipher suite). You can check the offered protocols for your server with an open source tool like sslyze ( [ https://github.com/nabla-c0d3/sslyze | https://github.com/nabla-c0d3/sslyze ] ) Marcus Haarmann Von: "Lou DeGenaro" < [ mailto:[email protected] | [email protected] ] > An: "user" < [ mailto:[email protected] | [email protected] ] > Gesendet: Dienstag, 24. April 2018 11:21:06 Betreff: Re: How to configure Cassandra to NOT use SSLv2? Can someone please can tell me how to prevent Cassandra 3.0.9 from using SSLv2? Happy to use a newer version of Cassandra if that's what's required. On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro < [ mailto:[email protected] | [email protected] ] > wrote: BQ_BEGIN 3.0.9 On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler < [ mailto:[email protected] | [email protected] ] > wrote: BQ_BEGIN On 04/20/2018 08:46 AM, Lou DeGenaro wrote: > Could you be more specific? What does one specify exactly to assure > SSLv2 is not used for both client-server and server-server > communications? Example yaml statements would be wonderful. The defaults in cassandra.yaml have only TLS specified in the current branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit. It's possible you may be on something older - what version are we talking about? -- Michael --------------------------------------------------------------------- To unsubscribe, e-mail: [ mailto:[email protected] | [email protected] ] For additional commands, e-mail: [ mailto:[email protected] | [email protected] ] BQ_END BQ_END BQ_END
