cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Podkowinski (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-10404) Node to Node encryption transitional mode
Date Thu, 21 Sep 2017 14:27:01 GMT


Stefan Podkowinski commented on CASSANDRA-10404:

I had the following couple of questions/remarks while looking at the patch today:

* Assuming we have a 3.x cluster already running with ssl enabled and now start to bump the
first node to 4.0. If we connect to {{storage_port}} by default in 4.0, won't the upgraded
node fail to start with a "Unable to gossip with any seeds" error?
* Do we want to add an option to disable the {{ssl_storage_port}}? E.g. by setting it to the
same value as storage_port?
* {{doc/source/operating/security.rst}}: needs to be updated
* {{cassandra.yaml}}: comments for {{storage_port}} and {{ssl_storage_port}} not accurate
anymore, as both can use  encryption now. We also should clearly describe the port as legacy
port only used during upgrades. There should be a link to {{security.rst}} for further details.
* Some of the native transport and internode netty code has become redundant, e.g. {{Server.OptionalSecureInitializer}}
and the new {{OptionalSslHandler}}. It's probably not in scope of this ticket, but should
maybe addressed in another ticket at some point.
* Use of {{server_encryption}} in {{NettyFactory.OutboundInitializer}} could use some comments,
especially on why we don't have to check all remaining options such as {{internode_encryption}}
(already checked in {{MessagingService}})

> Node to Node encryption transitional mode
> -----------------------------------------
>                 Key: CASSANDRA-10404
>                 URL:
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Tom Lewis
>            Assignee: Jason Brown
>             Fix For: 4.x
> Create a transitional mode for encryption that allows encrypted and unencrypted traffic
node-to-node during a change over to encryption from unencrypted. This alleviates downtime
during the switch.
>  This is similar to CASSANDRA-10559 which is intended for client-to-node

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message