Uploaded image for project: 'Apache Cassandra'
  1. Apache Cassandra
  2. CASSANDRA-18778

Empty keystore_password no longer allowed on encryption_options

Agile BoardAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      After CASSANDRA-18124 (introduced in 4.1.2 and 5.0) it is no longer possible to set an empty keystore_password under client_encryption_options or server_encryption_options using the default implementation DefaultSslContextFactory.

      While keytool does not allow generating keystores with empty passwords, it does support reading them. It is not uncommon to use PKCS12 certificates generated by other tools (eg. openssl) that do not enforce passwords.

      The fix for this should be pretty straightforward, which should involve changing FileBasedSslContextFactory.validatePassword to only disallow null passwords (which would be consistent with previous versions). I will create pull requests against the relevant branches shortly.

      Exception (org.apache.cassandra.exceptions.ConfigurationException) encountered during startup: Failed to initialize SSL
      org.apache.cassandra.exceptions.ConfigurationException: Failed to initialize SSL
      	at org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1155)
      	at org.apache.cassandra.config.DatabaseDescriptor.applyAll(DatabaseDescriptor.java:390)
      	at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:204)
      	at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:188)
      	at org.apache.cassandra.service.CassandraDaemon.applyConfig(CassandraDaemon.java:804)
      	at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:747)
      	at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:875)
      Caused by: java.io.IOException: Failed to create SSL context using Native transport
      	at org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:405)
      	at org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1150)
      	... 6 more
      Caused by: java.lang.IllegalArgumentException: 'keystore_password' must be specified
      	at org.apache.cassandra.security.FileBasedSslContextFactory.validatePassword(FileBasedSslContextFactory.java:133)
      	at org.apache.cassandra.security.FileBasedSslContextFactory.buildKeyManagerFactory(FileBasedSslContextFactory.java:151)
      	at org.apache.cassandra.security.AbstractSslContextFactory.createNettySslContext(AbstractSslContextFactory.java:181)
      	at org.apache.cassandra.security.SSLFactory.createNettySslContext(SSLFactory.java:168)
      	at org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:355)
      	... 7 more
      

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            andrew.tolbert Andy Tolbert Assign to me
            andrew.tolbert Andy Tolbert
            Andy Tolbert
            Jon Meredith, Stefan Miklosovic
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment