[CASSANDRA-16695] cqlsh should prefer newer TLS version by default - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 3.0.25, 3.11.11, 4.0-rc1, 4.0
Component/s: Tool/cqlsh
Labels:
- cqlsh

Complexity:
Normal
Platform:

All
Impacts:

None
Source Control Link:

https://github.com/apache/cassandra/commit/a0af091a5cbceeaa2b8f724b1790b61ef512b033
Test and Documentation Plan:

Hide

https://issues.apache.org/jira/browse/CASSANDRA-16695?focusedCommentId=17360257&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17360257

Show
https://issues.apache.org/jira/browse/CASSANDRA-16695?focusedCommentId=17360257&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17360257

Description

Some new JDK releases started to disable TLSv1.0 and TLSv1.1.

https://www.oracle.com/java/technologies/javase/8u291-relnotes.html

However, the code in:

https://github.com/apache/cassandra/blob/trunk/pylib/cqlshlib/sslhandling.py#L56-L65

is defaulting to those rather old versions,

which could lead to the following problem:

('Unable to connect to any servers', {'10.101.34.89:9042': error(1, u"Tried connecting to [('10.101.34.89', 9042)]. Last error: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:618)")})

Python2 default TLS protocol

https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_TLS

Python3 default TLS protocol

https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS

Attachments

Issue Links

is related to

CASSANDRA-16736 CQL shell should prefer newer TLS version by default

Resolved

Activity

People

Assignee:: Ekaterina Dimitrova

Reporter:: Justin Chu

Authors:: Ekaterina Dimitrova

Reviewers:: Adam Holmberg, Brandon Williams, David Capwell

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 25/May/21 18:09

Updated:: 01/Aug/21 11:43

Resolved:: 12/Jun/21 18:23