Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-15262

server_encryption_options is not backwards compatible with 3.11

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Fix Version/s: 4.0, 4.0-alpha
    • Component/s: Local/Config
    • Labels:
      None
    • Bug Category:
      Correctness - API / Semantic Implementation
    • Severity:
      Low
    • Complexity:
      Low Hanging Fruit
    • Discovered By:
      Performance Regression Test
    • Platform:
      All
    • Impacts:
      None

      Description

      The current `server_encryption_options` configuration options are as follows:

      server_encryption_options:
          # set to true for allowing secure incoming connections
          enabled: false
          # If enabled and optional are both set to true, encrypted and unencrypted connections are handled on the storage_port
          optional: false
          # if enabled, will open up an encrypted listening socket on ssl_storage_port. Should be used
          # during upgrade to 4.0; otherwise, set to false.
          enable_legacy_ssl_storage_port: false
          # on outbound connections, determine which type of peers to securely connect to. 'enabled' must be set to true.
          internode_encryption: none
          keystore: conf/.keystore
          keystore_password: cassandra
          truststore: conf/.truststore
          truststore_password: cassandra
          # More advanced defaults below:
          # protocol: TLS
          # store_type: JKS
          # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
          # require_client_auth: false
          # require_endpoint_verification: false
      

      A couple of issues here:
      1. optional defaults to false, which will break existing TLS configurations for (from what I can tell) no particularly good reason
      2. The provided protocol and cipher suites are not good ideas (in particular encouraging anyone to use CBC ciphers is a bad plan

      I propose that before the 4.0 cut we fixup server_encryption_options and even client_encryption_options :

      1. Change the default optional setting to true. As the new Netty code intelligently decides to open a TLS connection or not this is the more sensible default (saves operators a step while transitioning to TLS as well)
      2. Update the defaults to what netty actually defaults to

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jolynch Joey Lynch
                Reporter:
                jolynch Joey Lynch
                Authors:
                Joey Lynch
                Reviewers:
                Benedict Elliott Smith
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: