Uploaded image for project: 'Apache Cassandra'
  1. Apache Cassandra
  2. CASSANDRA-11532

CqlConfigHelper requires both truststore and keystore to work with SSL encryption

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • 2.2.6, 3.0.6, 3.6
    • None
    • None
    • Normal

    Description

      CqlConfigHelper configures SSL in the following way:

          public static Optional<SSLOptions> getSSLOptions(Configuration conf)
          {
              Optional<String> truststorePath = getInputNativeSSLTruststorePath(conf);
              Optional<String> keystorePath = getInputNativeSSLKeystorePath(conf);
              Optional<String> truststorePassword = getInputNativeSSLTruststorePassword(conf);
              Optional<String> keystorePassword = getInputNativeSSLKeystorePassword(conf);
              Optional<String> cipherSuites = getInputNativeSSLCipherSuites(conf);
              
              if (truststorePath.isPresent() && keystorePath.isPresent() && truststorePassword.isPresent() && keystorePassword.isPresent())
              {
                  SSLContext context;
                  try
                  {
                      context = getSSLContext(truststorePath.get(), truststorePassword.get(), keystorePath.get(), keystorePassword.get());
                  }
                  catch (UnrecoverableKeyException | KeyManagementException |
                          NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e)
                  {
                      throw new RuntimeException(e);
                  }
                  String[] css = null;
                  if (cipherSuites.isPresent())
                      css = cipherSuites.get().split(",");
                  return Optional.of(JdkSSLOptions.builder()
                                                  .withSSLContext(context)
                                                  .withCipherSuites(css)
                                                  .build());
              }
              return Optional.absent();
          }
      

      which forces you to connect only to trusted nodes and client authentication. This should be made more flexible so that at least client authentication is optional.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jlewandowski Jacek Lewandowski Assign to me
            jlewandowski Jacek Lewandowski
            Jacek Lewandowski
            Jeremiah Jordan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment