Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 80446200C49 for ; Fri, 17 Mar 2017 22:02:48 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 7EDCF160B8F; Fri, 17 Mar 2017 21:02:48 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id CB18E160B80 for ; Fri, 17 Mar 2017 22:02:47 +0100 (CET) Received: (qmail 76859 invoked by uid 500); 17 Mar 2017 21:02:46 -0000 Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cassandra.apache.org Delivered-To: mailing list commits@cassandra.apache.org Received: (qmail 76840 invoked by uid 99); 17 Mar 2017 21:02:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Mar 2017 21:02:46 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 20EEBC678C for ; Fri, 17 Mar 2017 21:02:46 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.451 X-Spam-Level: * X-Spam-Status: No, score=1.451 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_NEUTRAL=0.652] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id g9V2uef8H3q9 for ; Fri, 17 Mar 2017 21:02:45 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id B5B455F473 for ; Fri, 17 Mar 2017 21:02:44 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id B5CBCE0BCC for ; Fri, 17 Mar 2017 21:02:42 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id CC5DB254C1 for ; Fri, 17 Mar 2017 21:02:41 +0000 (UTC) Date: Fri, 17 Mar 2017 21:02:41 +0000 (UTC) From: "Nachiket Patil (JIRA)" To: commits@cassandra.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (CASSANDRA-13325) Bring back the accepted encryption protocols list as configurable option MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 17 Mar 2017 21:02:48 -0000 [ https://issues.apache.org/jira/browse/CASSANDRA-13325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nachiket Patil updated CASSANDRA-13325: --------------------------------------- Assignee: Nachiket Patil Fix Version/s: 4.x Status: Patch Available (was: Open) > Bring back the accepted encryption protocols list as configurable option > ------------------------------------------------------------------------ > > Key: CASSANDRA-13325 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13325 > Project: Cassandra > Issue Type: Improvement > Components: Configuration > Reporter: Nachiket Patil > Assignee: Nachiket Patil > Priority: Minor > Fix For: 4.x > > Attachments: trunk.diff > > > With CASSANDRA-10508, the hard coded list of accepted encryption protocols was eliminated. For some use cases, it is necessary to restrict the encryption protocols used for communication between client and server. Default JVM way of negotiations allows the best encryption protocol that client can use. > e.g. I have set Cassandra to use encryption. Ideally client and server negotiate to use best protocol (TLSv1.2). But a malicious client might force TLSv1.0 which is susceptible to POODLE attacks. > At the moment only way to restrict the encryption protocol is using the {{jdk.tls.client.protocols}} systems property. If I dont have enough access to modify this property, I dont have any way of restricting the encryption protocols. > I am proposing bring back the accepted_protocols property but make it configurable. If not specified, let the JVM take care of the TLS negotiations. -- This message was sent by Atlassian JIRA (v6.3.15#6346)