Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
Correctness - Recoverable Corruption / Loss
-
Normal
-
Normal
-
User Report
-
All
-
None
-
Description
Reproducible in Cassandra 4.x. If one configures encryption for streaming in config yaml fed to sstableloader like this
server_encryption_options:
internode_encryption: all
keystore: sstableloader.keystore.p12
keystore_password: changeit
truststore: sstableloader.truststore.jks
truststore_password: changeit
then sstableloader should perform an SSL handshake on the streaming connections and encrypt the payload. But this does not happen. Judging by the TCPdump of the outgoing traffic on the internode port, sstableloader sends plaintext traffic. This is the TCP payload of the first packet that sstableloader sends after establishing TCP connection:
ca 55 2d fa 0c 0c 0c 08 06 0a f0 01 f9 1b 58 a8 32 f2 d0
The first 4 bytes look like Cassandra protocol magic, not like a client hello.
I've discovered the issue while trying to migrate some data to a Cassandra 4 listening on the legacy ssl storage port (therefore, accepting only encrypted connections on that port). Streaming phase of the migration failed with a "connection closed" error, which hints that the connection was closed server-side.