cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jane Deng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-12773) cassandra-stress error for one way SSL
Date Thu, 13 Oct 2016 17:24:20 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-12773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15572601#comment-15572601
] 

Jane Deng commented on CASSANDRA-12773:
---------------------------------------

Thanks Stefan. The problem is people could not use default password "cassandra" in production.
We received the report of the error.

Actually I think there could be some improvement from SSLFactory.java:
{code}
public static SSLContext createSSLContext(EncryptionOptions options, boolean buildTruststore)
throws IOException
{code}

The truststore holds the public key and will be passed by the client anyway. However, the
keystore holds the private key which may or may not be passed by the client (depending on
require_client_auth = true/false). In current implementation, we load the keystore for every
client request, but decide to load the truststore or not based on the parameter "buildTruststore".
It may be better to change the context of "buildTruststore" to "buildKeystore". But this change
will affect all of the current clients and it could be another jira. 



 

> cassandra-stress error for one way SSL 
> ---------------------------------------
>
>                 Key: CASSANDRA-12773
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12773
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Tools
>            Reporter: Jane Deng
>         Attachments: 12773-2.2.patch
>
>
> CASSANDRA-9325 added keystore/truststore configuration into cassandra-stress. However,
for one way ssl (require_client_auth=false), there is no need to pass keystore info into ssloptions.
Cassadra-stress errored out:
> {noformat}
> java.lang.RuntimeException: java.io.IOException: Error creating the initializing the
SSL Context 
> at org.apache.cassandra.stress.settings.StressSettings.getJavaDriverClient(StressSettings.java:200)

> at org.apache.cassandra.stress.settings.SettingsSchema.createKeySpacesNative(SettingsSchema.java:79)

> at org.apache.cassandra.stress.settings.SettingsSchema.createKeySpaces(SettingsSchema.java:69)

> at org.apache.cassandra.stress.settings.StressSettings.maybeCreateKeyspaces(StressSettings.java:207)

> at org.apache.cassandra.stress.StressAction.run(StressAction.java:55) 
> at org.apache.cassandra.stress.Stress.main(Stress.java:117) 
> Caused by: java.io.IOException: Error creating the initializing the SSL Context 
> at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:151) 
> at org.apache.cassandra.stress.util.JavaDriverClient.connect(JavaDriverClient.java:128)

> at org.apache.cassandra.stress.settings.StressSettings.getJavaDriverClient(StressSettings.java:191)

> ... 5 more 
> Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect

> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) 
> at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) 
> at java.security.KeyStore.load(KeyStore.java:1445) 
> at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:129) 
> ... 7 more 
> Caused by: java.security.UnrecoverableKeyException: Password verification failed 
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) 
> ... 10 more
> {noformat}
> It's a bug from CASSANDRA-9325. When the keystore is absent, the keystore is assigned
to the path of the truststore, but the password isn't taken care.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message