You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "George Cristea (Created) (JIRA)" <ji...@apache.org> on 2011/09/29 20:21:45 UTC
[jira] [Created] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
SSLFactory should not enable cipher suites that aren't supported
----------------------------------------------------------------
Key: CASSANDRA-3278
URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
Project: Cassandra
Issue Type: Bug
Components: Core
Affects Versions: 0.8.6, 0.8.5, 0.8.4, 1.0.0
Environment: OpenJDK on debian squeeze
Reporter: George Cristea
Priority: Minor
The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
{code}
public String[] cipherSuites = {
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA"
};
{code}
The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
Thanks,
George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
Posted by "Jonathan Ellis (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13117526#comment-13117526 ]
Jonathan Ellis commented on CASSANDRA-3278:
-------------------------------------------
Thanks for the bug report, George. It sounds like you have a good handle on this, can you submit a patch?
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.4, 0.8.5, 0.8.6, 1.0.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Priority: Minor
> Fix For: 0.8.7
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
Posted by "Vijay (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vijay updated CASSANDRA-3278:
-----------------------------
Attachment: 0003-expose-the-available-options-in-yaml-v2.patch
0002-commiting-filter-for-supported-suits-v2.patch
0001-commiting-changes-to-make-the-ks-ts-more-flexible-v2.patch
Done!, the only change between the v1 is change from cipherSuites to cipher_suites. Thanks!
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Assignee: Vijay
> Priority: Minor
> Fix For: 1.0.5
>
> Attachments: 0001-commiting-changes-to-make-the-ks-ts-more-flexible-v2.patch, 0001-commiting-filter-for-supported-suits.patch, 0002-commiting-changes-to-make-the-ks-ts-more-flexible.patch, 0002-commiting-filter-for-supported-suits-v2.patch, 0003-expose-the-available-options-in-yaml-v2.patch, 0003-expose-the-available-options-in-yaml.patch, cassandra-3278-cache.txt, cassandra-3278-nocache.txt
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
Posted by "Vijay (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vijay updated CASSANDRA-3278:
-----------------------------
Attachment: 0001-commiting-filter-for-supported-suits.patch
0002-commiting-changes-to-make-the-ks-ts-more-flexible.patch
0003-expose-the-available-options-in-yaml.patch
We can also expose some of the available options so the users can choose.
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Priority: Minor
> Fix For: 0.8.8, 1.0.0
>
> Attachments: 0001-commiting-filter-for-supported-suits.patch, 0002-commiting-changes-to-make-the-ks-ts-more-flexible.patch, 0003-expose-the-available-options-in-yaml.patch, cassandra-3278-cache.txt, cassandra-3278-nocache.txt
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
Posted by "Brandon Williams (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13158789#comment-13158789 ]
Brandon Williams commented on CASSANDRA-3278:
---------------------------------------------
This looks good, but one minor nit: instead of cipherSuites in the yaml can we use the more idiomatic 'cipher_suites'?
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Assignee: Vijay
> Priority: Minor
> Fix For: 1.0.5
>
> Attachments: 0001-commiting-filter-for-supported-suits.patch, 0002-commiting-changes-to-make-the-ks-ts-more-flexible.patch, 0003-expose-the-available-options-in-yaml.patch, cassandra-3278-cache.txt, cassandra-3278-nocache.txt
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
Posted by "George (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
George updated CASSANDRA-3278:
------------------------------
Attachment: cassandra-3278-cache.txt
cassandra-3278-nocache.txt
I wasn't happy with reading the keystore/trusstore files and doing the cipher suites' filtering for each socket creation so I ended up creating two patches:
* cassandra-3278-nocache.txt: Does the filtering, the down side that the filtering is done for each socket that's created.
* cassandra-3278-cache.txt: Caches the SSLContext along with the supported cipher suites for server and non-server sockets. The down side is that changing the keystore/truststore requires a restart of the node.
I don't have enough information to decide which version is preferable, I leave that to you.
Thanks,
George
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.4, 0.8.5, 0.8.6, 1.0.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Priority: Minor
> Fix For: 0.8.7
>
> Attachments: cassandra-3278-cache.txt, cassandra-3278-nocache.txt
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
Posted by "Vijay (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13121456#comment-13121456 ]
Vijay commented on CASSANDRA-3278:
----------------------------------
George,
Thanks for the patch,
The problem with the cached is that we need to restart the whole cluster when we change the KS/TS, instead we will have the flexibility if the new connections will just pick it up. We persist the connections untill disconnect hence the performance shouldn't be a concern. Also there can be variety of ssl client (example fat clients) which may have different sets of supported suits (caching one might not help).
1) cassandra-3278-nocache isn't a patch by itself (Can you rebase it?)
2) in the non cached one, If we can log a info on the filtered suit it will be great,
Just a side note... I would use Sets.intersection to reduce the amount of code :)
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Priority: Minor
> Fix For: 0.8.8, 1.0.0
>
> Attachments: cassandra-3278-cache.txt, cassandra-3278-nocache.txt
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
Posted by "George (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13117787#comment-13117787 ]
George commented on CASSANDRA-3278:
-----------------------------------
Sure, I'll try to get the patch to you by EOD tomorrow.
Once question: do you see a problem with calling getSupportedCipherSuites and doing the filtering for every socket creation?
Thanks,
George
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.4, 0.8.5, 0.8.6, 1.0.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Priority: Minor
> Fix For: 0.8.7
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
Posted by "Jonathan Ellis (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-3278:
--------------------------------------
Reviewer: vijay2win@yahoo.com (was: vijay)
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Priority: Minor
> Fix For: 0.8.8, 1.0.0
>
> Attachments: cassandra-3278-cache.txt, cassandra-3278-nocache.txt
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
Posted by "Jonathan Ellis (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13138499#comment-13138499 ]
Jonathan Ellis commented on CASSANDRA-3278:
-------------------------------------------
Since Cassandra sockets are long-lived I'm fine with having filter-each-socket being the only option.
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Assignee: Vijay
> Priority: Minor
> Fix For: 1.0.2
>
> Attachments: 0001-commiting-filter-for-supported-suits.patch, 0002-commiting-changes-to-make-the-ks-ts-more-flexible.patch, 0003-expose-the-available-options-in-yaml.patch, cassandra-3278-cache.txt, cassandra-3278-nocache.txt
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
Posted by "Jonathan Ellis (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-3278:
--------------------------------------
Fix Version/s: 0.8.7
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.4, 0.8.5, 0.8.6, 1.0.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Priority: Minor
> Fix For: 0.8.7
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira