cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeremiah Jordan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-11532) CqlConfigHelper requires both truststore and keystore to work with SSL encryption
Date Mon, 11 Apr 2016 18:55:25 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-11532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15235724#comment-15235724
] 

Jeremiah Jordan commented on CASSANDRA-11532:
---------------------------------------------

[~iamaleksey] sorry, looks like I had a fail pasting in the commit message.  The code is right.

> CqlConfigHelper requires both truststore and keystore to work with SSL encryption
> ---------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-11532
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-11532
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Jacek Lewandowski
>            Assignee: Jacek Lewandowski
>         Attachments: CASSANDRA_11532.patch
>
>
> {{CqlConfigHelper}} configures SSL in the following way:
> {code:java}
>     public static Optional<SSLOptions> getSSLOptions(Configuration conf)
>     {
>         Optional<String> truststorePath = getInputNativeSSLTruststorePath(conf);
>         Optional<String> keystorePath = getInputNativeSSLKeystorePath(conf);
>         Optional<String> truststorePassword = getInputNativeSSLTruststorePassword(conf);
>         Optional<String> keystorePassword = getInputNativeSSLKeystorePassword(conf);
>         Optional<String> cipherSuites = getInputNativeSSLCipherSuites(conf);
>         
>         if (truststorePath.isPresent() && keystorePath.isPresent() &&
truststorePassword.isPresent() && keystorePassword.isPresent())
>         {
>             SSLContext context;
>             try
>             {
>                 context = getSSLContext(truststorePath.get(), truststorePassword.get(),
keystorePath.get(), keystorePassword.get());
>             }
>             catch (UnrecoverableKeyException | KeyManagementException |
>                     NoSuchAlgorithmException | KeyStoreException | CertificateException
| IOException e)
>             {
>                 throw new RuntimeException(e);
>             }
>             String[] css = null;
>             if (cipherSuites.isPresent())
>                 css = cipherSuites.get().split(",");
>             return Optional.of(JdkSSLOptions.builder()
>                                             .withSSLContext(context)
>                                             .withCipherSuites(css)
>                                             .build());
>         }
>         return Optional.absent();
>     }
> {code}
> which forces you to connect only to trusted nodes and client authentication. This should
be made more flexible so that at least client authentication is optional. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message