cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Brown (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CASSANDRA-11405) Server encryption cannot be enabled with the IBM JRE 1.7
Date Wed, 23 Mar 2016 16:25:26 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-11405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jason Brown resolved CASSANDRA-11405.
-------------------------------------
    Resolution: Won't Fix

> Server encryption cannot be enabled with the IBM JRE 1.7
> --------------------------------------------------------
>
>                 Key: CASSANDRA-11405
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-11405
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Configuration
>         Environment: Linux, IBM JRE 1.7
>            Reporter: Guillermo Vega-Toro
>             Fix For: 2.2.6
>
>
> When enabling server encryption with the IBM JRE (algorithm: IbmX509), an IllegalArgumentException
is thrown from the IBM JSSE when the server is started:
> ERROR 10:04:37,326 Exception encountered during startup
> java.lang.IllegalArgumentException: SSLv2Hello
>         at com.ibm.jsse2.qb.a(qb.java:50)
>         at com.ibm.jsse2.pb.a(pb.java:101)
>         at com.ibm.jsse2.pb.<init>(pb.java:77)
>         at com.ibm.jsse2.oc.setEnabledProtocols(oc.java:77)
>         at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:64)
>         at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:425)
>         at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:409)
>         at org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:693)
>         at org.apache.cassandra.service.StorageService.initServer(StorageService.java:623)
>         at org.apache.cassandra.service.StorageService.initServer(StorageService.java:515)
>         at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:437)
>         at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:567)
>         at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:656)
> The problem is that the IBM JSSE does not support SSLv2Hello, but this protocol is hard-coded
in class org.apache.cassandra.security.SSLFactory:
> public static final String[] ACCEPTED_PROTOCOLS = new String[] {"SSLv2Hello", "TLSv1",
"TLSv1.1", "TLSv1.2"};
>     public static SSLServerSocket getServerSocket(EncryptionOptions options, InetAddress
address, int port) throws IOException
>     {
>         SSLContext ctx = createSSLContext(options, true);
>         SSLServerSocket serverSocket = (SSLServerSocket)ctx.getServerSocketFactory().createServerSocket();
>         serverSocket.setReuseAddress(true);
>         String[] suits = filterCipherSuites(serverSocket.getSupportedCipherSuites(),
options.cipher_suites);
>         serverSocket.setEnabledCipherSuites(suits);
>         serverSocket.setNeedClientAuth(options.require_client_auth);
>         serverSocket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
>         serverSocket.bind(new InetSocketAddress(address, port), 500);
>         return serverSocket;
>     }
> This ACCEPTED_PROTOCOLS array should not be hard-coded. It should rather read the protocols
from configuration, or if the algorithm is IbmX509, simply do not call setEnabledProtocols
- with the IBM JSSE, the enabled protocol is controlled by the protocol passed to SSLContext.getInstance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message