Normal Description
CqlConfigHelper configures SSL in the following way:
public static Optional<SSLOptions> getSSLOptions(Configuration conf) { Optional<String> truststorePath = getInputNativeSSLTruststorePath(conf); Optional<String> keystorePath = getInputNativeSSLKeystorePath(conf); Optional<String> truststorePassword = getInputNativeSSLTruststorePassword(conf); Optional<String> keystorePassword = getInputNativeSSLKeystorePassword(conf); Optional<String> cipherSuites = getInputNativeSSLCipherSuites(conf); if (truststorePath.isPresent() && keystorePath.isPresent() && truststorePassword.isPresent() && keystorePassword.isPresent()) { SSLContext context; try { context = getSSLContext(truststorePath.get(), truststorePassword.get(), keystorePath.get(), keystorePassword.get()); } catch (UnrecoverableKeyException | KeyManagementException | NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e) { throw new RuntimeException(e); } String[] css = null; if (cipherSuites.isPresent()) css = cipherSuites.get().split(","); return Optional.of(JdkSSLOptions.builder() .withSSLContext(context) .withCipherSuites(css) .build()); } return Optional.absent(); }
which forces you to connect only to trusted nodes and client authentication. This should be made more flexible so that at least client authentication is optional.