[CASSANDRA-13325] Bring back the accepted encryption protocols list as configurable option - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Low
Resolution: Fixed
Fix Version/s: 4.0-beta4, 4.0
Component/s: Local/Config
Labels:
None

Source Control Link:

https://github.com/apache/cassandra/commit/919a8964a83511d96766c3e53ba603e77bca626c
Test and Documentation Plan:

Hide

Unit tests

Show
Unit tests

Description

With ~~CASSANDRA-10508~~, the hard coded list of accepted encryption protocols was eliminated. For some use cases, it is necessary to restrict the encryption protocols used for communication between client and server. Default JVM way of negotiations allows the best encryption protocol that client can use.
e.g. I have set Cassandra to use encryption. Ideally client and server negotiate to use best protocol (TLSv1.2). But a malicious client might force TLSv1.0 which is susceptible to POODLE attacks.

At the moment only way to restrict the encryption protocol is using the jdk.tls.client.protocols systems property. If I dont have enough access to modify this property, I dont have any way of restricting the encryption protocols.

I am proposing bring back the accepted_protocols property but make it configurable. If not specified, let the JVM take care of the TLS negotiations.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

trunk.diff
17/Mar/17 21:01
5 kB
Nachiket Patil

Activity

People

Assignee:: Jon Meredith

Reporter:: Nachiket Patil

Authors:: Jon Meredith

Reviewers:: Berenguer Blasi, David Capwell, Dinesh Joshi

Votes:: 2 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 14/Mar/17 00:40

Updated:: 27/Jan/21 17:11

Resolved:: 03/Dec/20 00:45

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: