Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@cassandra.apache.org
Received-SPF: pass (nike.apache.org: domain of dave@stormpath.com designates
 209.85.220.50 as permitted sender)
From: David Laube <dave@stormpath.com>
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_65EB1735-C42B-4DD2-8926-22D6157A34D2"
Subject: cqlsh error after enabling encryption
Message-Id: <31FB2948-2AC8-415A-8479-CFADD77F1ABF@stormpath.com>
Date: Tue, 3 Sep 2013 14:20:05 -0700
To: "user@cassandra.apache.org" <user@cassandra.apache.org>
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))


--Apple-Mail=_65EB1735-C42B-4DD2-8926-22D6157A34D2
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

Hi All,

After enabling encryption on our Cassandra 1.2.8 nodes, we receiving the =
error "Connection error: TSocket read 0 bytes" while attempting to use =
CQLsh to talk to the ring. I've followed the docs over at =
http://www.datastax.com/documentation/cassandra/1.2/webhelp/cassandra/secu=
rity/secureCqlshSSL_t.html but can't seem to figure out why this isn't =
working. Inter-node communication seems to be working properly since =
"nodetool status" shows our nodes as up, but the CQLsh client is unable =
to talk to a single node or any node in the cluster (specifying the IP =
in .cqlshrc or on the CLI) for some reason. I'm providing the applicable =
config file entries below for review. Any insight or suggestions would =
be greatly appreciated! :)


My ~/.cqlshrc file:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[connection]
hostname =3D 127.0.0.1
port =3D 9160
factory =3D cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile =3D /etc/cassandra/conf/cassandra_client.crt
validate =3D true ## Optional, true by default.

[certfiles] ## Optional section, overrides the default certfile in the =
[ssl] section.
192.168.1.3 =3D ~/keys/cassandra01.cert
192.168.1.4 =3D ~/keys/cassandra02.cert
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


Our cassandra.yaml file config blocks:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=85snip=85

server_encryption_options:
    internode_encryption: all
    keystore: /etc/cassandra/conf/.keystore
    keystore_password: yeah-right
    truststore: /etc/cassandra/conf/.truststore
    truststore_password: yeah-right
    # More advanced defaults below:
    # protocol: TLS
    # algorithm: SunX509
    # store_type: JKS
    # cipher_suites: =
[TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
    # require_client_auth: false

# enable or disable client/server encryption.
client_encryption_options:
    enabled: true
    keystore: /etc/cassandra/conf/.keystore
    keystore_password: yeah-right
    # require_client_auth: false
    # Set trustore and truststore_password if require_client_auth is =
true
    # truststore: conf/.truststore
    # truststore_password: cassandra
    # More advanced defaults below:
    protocol: TLS
    algorithm: SunX509
    store_type: JKS
    cipher_suites: =
[TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]

=85snip...
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


Thanks,
-David Laube


--Apple-Mail=_65EB1735-C42B-4DD2-8926-22D6157A34D2
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div>Hi All,</div><div><br></div><div>After enabling encryption on our =
Cassandra 1.2.8 nodes, we receiving the error "Connection error: TSocket =
read 0 bytes" while attempting to use CQLsh to talk to the ring. I've =
followed the docs over at&nbsp;<a =
href=3D"http://www.datastax.com/documentation/cassandra/1.2/webhelp/cassan=
dra/security/secureCqlshSSL_t.html">http://www.datastax.com/documentation/=
cassandra/1.2/webhelp/cassandra/security/secureCqlshSSL_t.html</a>&nbsp;bu=
t can't seem to figure out why this isn't working. Inter-node =
communication seems to be working properly since "nodetool status" shows =
our nodes as up, but the CQLsh client is unable to talk to a single node =
or any node in the cluster (specifying the IP in .cqlshrc or on the CLI) =
for some reason. I'm providing the applicable config file entries below =
for review. Any insight or suggestions would be greatly appreciated! =
:)</div><div><br></div><div><br></div><div><br></div><div>My ~/.cqlshrc =
file:</div><div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</=
div><div><div><br></div><div>[connection]</div><div>hostname =3D =
127.0.0.1</div><div>port =3D 9160</div><div>factory =3D =
cqlshlib.ssl.ssl_transport_factory</div><div><br></div><div>[ssl]</div><di=
v>certfile =3D =
/etc/cassandra/conf/cassandra_client.crt</div><div>validate =3D true ## =
Optional, true by default.</div><div><br></div><div>[certfiles] ## =
Optional section, overrides the default certfile in the [ssl] =
section.</div><div>192.168.1.3 =3D =
~/keys/cassandra01.cert</div><div>192.168.1.4 =3D =
~/keys/cassandra02.cert</div></div><div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D</div><div><br></div><div><br></div><div><br></div><d=
iv>Our cassandra.yaml file config =
blocks:</div><div><div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D</div></div><div>=85snip=85</div><div><br></div><div><div>server_enc=
ryption_options:</div><div>&nbsp; &nbsp; internode_encryption: =
all</div><div>&nbsp; &nbsp; keystore: =
/etc/cassandra/conf/.keystore</div><div>&nbsp; &nbsp; keystore_password: =
yeah-right</div><div>&nbsp; &nbsp; truststore: =
/etc/cassandra/conf/.truststore</div><div>&nbsp; &nbsp; =
truststore_password:&nbsp;yeah-right</div><div>&nbsp; &nbsp; # More =
advanced defaults below:</div><div>&nbsp; &nbsp; # protocol: =
TLS</div><div>&nbsp; &nbsp; # algorithm: SunX509</div><div>&nbsp; &nbsp; =
# store_type: JKS</div><div>&nbsp; &nbsp; # cipher_suites: =
[TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]</div><div>&nbs=
p; &nbsp; # require_client_auth: false</div><div><br></div><div># enable =
or disable client/server =
encryption.</div><div>client_encryption_options:</div><div>&nbsp; &nbsp; =
enabled: true</div><div>&nbsp; &nbsp; keystore: =
/etc/cassandra/conf/.keystore</div><div>&nbsp; &nbsp; =
keystore_password:&nbsp;yeah-right</div><div>&nbsp; &nbsp; # =
require_client_auth: false</div><div>&nbsp; &nbsp; # Set trustore and =
truststore_password if require_client_auth is true</div><div>&nbsp; =
&nbsp; # truststore: conf/.truststore</div><div>&nbsp; &nbsp; # =
truststore_password: cassandra</div><div>&nbsp; &nbsp; # More advanced =
defaults below:</div><div>&nbsp; &nbsp; protocol: TLS</div><div>&nbsp; =
&nbsp; algorithm: SunX509</div><div>&nbsp; &nbsp; store_type: =
JKS</div><div>&nbsp; &nbsp; cipher_suites: =
[TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]</div></div><di=
v><br></div><div>=85snip...</div><div><div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</div></div><div><br></div><div><br></div><div><br=
></div><div><br></div><div>Thanks,</div><div>-David =
Laube</div><div><br></div></body></html>=

--Apple-Mail=_65EB1735-C42B-4DD2-8926-22D6157A34D2--