Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-11405

Server encryption cannot be enabled with the IBM JRE 1.7

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Won't Fix
    • Fix Version/s: 2.2.6
    • Component/s: Local/Config
    • Labels:
      None
    • Environment:

      Linux, IBM JRE 1.7

    • Severity:
      Normal

      Description

      When enabling server encryption with the IBM JRE (algorithm: IbmX509), an IllegalArgumentException is thrown from the IBM JSSE when the server is started:

      ERROR 10:04:37,326 Exception encountered during startup
      java.lang.IllegalArgumentException: SSLv2Hello
      at com.ibm.jsse2.qb.a(qb.java:50)
      at com.ibm.jsse2.pb.a(pb.java:101)
      at com.ibm.jsse2.pb.<init>(pb.java:77)
      at com.ibm.jsse2.oc.setEnabledProtocols(oc.java:77)
      at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:64)
      at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:425)
      at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:409)
      at org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:693)
      at org.apache.cassandra.service.StorageService.initServer(StorageService.java:623)
      at org.apache.cassandra.service.StorageService.initServer(StorageService.java:515)
      at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:437)
      at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:567)
      at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:656)

      The problem is that the IBM JSSE does not support SSLv2Hello, but this protocol is hard-coded in class org.apache.cassandra.security.SSLFactory:

      public static final String[] ACCEPTED_PROTOCOLS = new String[]

      {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"}

      ;

      public static SSLServerSocket getServerSocket(EncryptionOptions options, InetAddress address, int port) throws IOException

      { SSLContext ctx = createSSLContext(options, true); SSLServerSocket serverSocket = (SSLServerSocket)ctx.getServerSocketFactory().createServerSocket(); serverSocket.setReuseAddress(true); String[] suits = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites); serverSocket.setEnabledCipherSuites(suits); serverSocket.setNeedClientAuth(options.require_client_auth); serverSocket.setEnabledProtocols(ACCEPTED_PROTOCOLS); serverSocket.bind(new InetSocketAddress(address, port), 500); return serverSocket; }

      This ACCEPTED_PROTOCOLS array should not be hard-coded. It should rather read the protocols from configuration, or if the algorithm is IbmX509, simply do not call setEnabledProtocols - with the IBM JSSE, the enabled protocol is controlled by the protocol passed to SSLContext.getInstance.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              gvegatoro Guillermo Vega-Toro
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: