Uploaded image for project: 'Apache Cassandra'
  1. Apache Cassandra
  2. CASSANDRA-11532

CqlConfigHelper requires both truststore and keystore to work with SSL encryption

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • 2.2.6, 3.0.6, 3.6
    • None
    • None
    • Normal

    Description

      CqlConfigHelper configures SSL in the following way:

          public static Optional<SSLOptions> getSSLOptions(Configuration conf)
          {
              Optional<String> truststorePath = getInputNativeSSLTruststorePath(conf);
              Optional<String> keystorePath = getInputNativeSSLKeystorePath(conf);
              Optional<String> truststorePassword = getInputNativeSSLTruststorePassword(conf);
              Optional<String> keystorePassword = getInputNativeSSLKeystorePassword(conf);
              Optional<String> cipherSuites = getInputNativeSSLCipherSuites(conf);
              
              if (truststorePath.isPresent() && keystorePath.isPresent() && truststorePassword.isPresent() && keystorePassword.isPresent())
              {
                  SSLContext context;
                  try
                  {
                      context = getSSLContext(truststorePath.get(), truststorePassword.get(), keystorePath.get(), keystorePassword.get());
                  }
                  catch (UnrecoverableKeyException | KeyManagementException |
                          NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e)
                  {
                      throw new RuntimeException(e);
                  }
                  String[] css = null;
                  if (cipherSuites.isPresent())
                      css = cipherSuites.get().split(",");
                  return Optional.of(JdkSSLOptions.builder()
                                                  .withSSLContext(context)
                                                  .withCipherSuites(css)
                                                  .build());
              }
              return Optional.absent();
          }
      

      which forces you to connect only to trusted nodes and client authentication. This should be made more flexible so that at least client authentication is optional.

      Attachments

        1. CASSANDRA_11532.patch
          4 kB
          Jacek Lewandowski

        Activity

          People

            jlewandowski Jacek Lewandowski
            jlewandowski Jacek Lewandowski
            Jacek Lewandowski
            Jeremiah Jordan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: