cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Podkowinski (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-9590) Support for both encrypted and unencrypted native transport connections
Date Mon, 15 Jun 2015 10:53:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-9590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14585770#comment-14585770
] 

Stefan Podkowinski commented on CASSANDRA-9590:
-----------------------------------------------

[~mikea], I'm not sure how it would be possible to support both encrypted and unencrypted
content over a TLS socket. TLS connections are initiated by a handshake protocol. Without
TLS enabled, any native client won't be able to participate in the handshake. I'm not aware
how a downgrade would work in this scenario, but I'd be grateful for further references on
that. 


> Support for both encrypted and unencrypted native transport connections
> -----------------------------------------------------------------------
>
>                 Key: CASSANDRA-9590
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9590
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Stefan Podkowinski
>
> Enabling encryption for native transport currently turns SSL exclusively on or off for
the opened socket. Migrating from plain to encrypted requires to migrate all native clients
as well and redeploy all of them at the same time after starting the SSL enabled Cassandra
nodes. 
> This patch would allow to start Cassandra with both an unencrypted and ssl enabled native
port. Clients can connect to either, based whether they support ssl or not.
> This has been implemented by introducing a new {{native_transport_port_ssl}} config option.

> There would be three scenarios:
> * client encryption disabled: native_transport_port unencrypted, port_ssl not used
> * client encryption enabled, port_ssl not set: encrypted native_transport_port
> * client encryption enabled and port_ssl set: native_transport_port unencrypted, port_ssl
encrypted
> This approach would keep configuration behavior fully backwards compatible.
> Patch proposal (tests will be added later in case people will speak out in favor for
the patch):
> [Diff trunk|https://github.com/apache/cassandra/compare/trunk...spodkowinski:feat/optionalnativessl],

> [Patch against trunk|https://github.com/apache/cassandra/compare/trunk...spodkowinski:feat/optionalnativessl.patch]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message