Return-Path: X-Original-To: apmail-cassandra-commits-archive@www.apache.org Delivered-To: apmail-cassandra-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3B9D2CEAC for ; Mon, 17 Mar 2014 17:12:20 +0000 (UTC) Received: (qmail 99860 invoked by uid 500); 17 Mar 2014 17:12:15 -0000 Delivered-To: apmail-cassandra-commits-archive@cassandra.apache.org Received: (qmail 99768 invoked by uid 500); 17 Mar 2014 17:12:14 -0000 Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cassandra.apache.org Delivered-To: mailing list commits@cassandra.apache.org Received: (qmail 99159 invoked by uid 99); 17 Mar 2014 17:12:10 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Mar 2014 17:12:10 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id F172C982797; Mon, 17 Mar 2014 17:12:09 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: brandonwilliams@apache.org To: commits@cassandra.apache.org Date: Mon, 17 Mar 2014 17:12:10 -0000 Message-Id: In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [02/10] git commit: Add extra SSL cipher suites. Add extra SSL cipher suites. Patch by brandonwilliams, reviewed by Ray Sinnema for CASSANDRA-6613 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/3876eefd Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/3876eefd Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/3876eefd Branch: refs/heads/cassandra-2.0 Commit: 3876eefd11a849099150f19250f6c8fcd89579ee Parents: 8526347 Author: Brandon Williams Authored: Mon Mar 17 12:05:35 2014 -0500 Committer: Brandon Williams Committed: Mon Mar 17 12:05:35 2014 -0500 ---------------------------------------------------------------------- CHANGES.txt | 1 + conf/cassandra.yaml | 5 +++-- src/java/org/apache/cassandra/config/EncryptionOptions.java | 6 +++++- 3 files changed, 9 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/3876eefd/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 325c623..f88345d 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 1.2.16 + * add extra SSL cipher suites (CASSANDRA-6613) * fix nodetool getsstables for blob PK (CASSANDRA-6803) * Add CMSClassUnloadingEnabled JVM option (CASSANDRA-6541) * Catch memtable flush exceptions during shutdown (CASSANDRA-6735) http://git-wip-us.apache.org/repos/asf/cassandra/blob/3876eefd/conf/cassandra.yaml ---------------------------------------------------------------------- diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml index 194a196..ecad3f0 100644 --- a/conf/cassandra.yaml +++ b/conf/cassandra.yaml @@ -651,6 +651,7 @@ index_interval: 128 # Default settings are TLS v1, RSA 1024-bit keys (it is imperative that # users generate their own keys) TLS_RSA_WITH_AES_128_CBC_SHA as the cipher # suite for authentication, key exchange and encryption of the actual data transfers. +# Use the DHE/ECDHE ciphers if running in FIPS 140 compliant mode. # NOTE: No custom encryption options are enabled at the moment # The available internode options are : all, none, dc, rack # @@ -671,7 +672,7 @@ server_encryption_options: # protocol: TLS # algorithm: SunX509 # store_type: JKS - # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] + # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] # require_client_auth: false # enable or disable client/server encryption. @@ -687,7 +688,7 @@ client_encryption_options: # protocol: TLS # algorithm: SunX509 # store_type: JKS - # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] + # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] # internode_compression controls whether traffic between nodes is # compressed. http://git-wip-us.apache.org/repos/asf/cassandra/blob/3876eefd/src/java/org/apache/cassandra/config/EncryptionOptions.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java index f873636..945a15b 100644 --- a/src/java/org/apache/cassandra/config/EncryptionOptions.java +++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java @@ -23,7 +23,11 @@ public abstract class EncryptionOptions public String keystore_password = "cassandra"; public String truststore = "conf/.truststore"; public String truststore_password = "cassandra"; - public String[] cipher_suites = {"TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"}; + public String[] cipher_suites = { + "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + }; public String protocol = "TLS"; public String algorithm = "SunX509"; public String store_type = "JKS";