Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-11532

CqlConfigHelper requires both truststore and keystore to work with SSL encryption

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Fix Version/s: 2.2.6, 3.0.6, 3.6
    • Component/s: None
    • Labels:
      None
    • Severity:
      Normal

      Description

      CqlConfigHelper configures SSL in the following way:

          public static Optional<SSLOptions> getSSLOptions(Configuration conf)
          {
              Optional<String> truststorePath = getInputNativeSSLTruststorePath(conf);
              Optional<String> keystorePath = getInputNativeSSLKeystorePath(conf);
              Optional<String> truststorePassword = getInputNativeSSLTruststorePassword(conf);
              Optional<String> keystorePassword = getInputNativeSSLKeystorePassword(conf);
              Optional<String> cipherSuites = getInputNativeSSLCipherSuites(conf);
              
              if (truststorePath.isPresent() && keystorePath.isPresent() && truststorePassword.isPresent() && keystorePassword.isPresent())
              {
                  SSLContext context;
                  try
                  {
                      context = getSSLContext(truststorePath.get(), truststorePassword.get(), keystorePath.get(), keystorePassword.get());
                  }
                  catch (UnrecoverableKeyException | KeyManagementException |
                          NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e)
                  {
                      throw new RuntimeException(e);
                  }
                  String[] css = null;
                  if (cipherSuites.isPresent())
                      css = cipherSuites.get().split(",");
                  return Optional.of(JdkSSLOptions.builder()
                                                  .withSSLContext(context)
                                                  .withCipherSuites(css)
                                                  .build());
              }
              return Optional.absent();
          }
      

      which forces you to connect only to trusted nodes and client authentication. This should be made more flexible so that at least client authentication is optional.

        Attachments

        1. CASSANDRA_11532.patch
          4 kB
          Jacek Lewandowski

          Activity

            People

            • Assignee:
              jlewandowski Jacek Lewandowski
              Reporter:
              jlewandowski Jacek Lewandowski
              Authors:
              Jacek Lewandowski
              Reviewers:
              Jeremiah Jordan
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: