You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by ja...@apache.org on 2014/11/13 00:59:24 UTC
cassandra git commit: Disable SSLv3 for POODLE
Repository: cassandra
Updated Branches:
refs/heads/cassandra-2.0 be7914229 -> b93f48a5d
Disable SSLv3 for POODLE
patch by Jeremiah Jordan; reviewed by jasobrown for CASSANDRA-8265
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/b93f48a5
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/b93f48a5
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/b93f48a5
Branch: refs/heads/cassandra-2.0
Commit: b93f48a5db321bf7c9fb55a800ed6ab2d6f6b102
Parents: be79142
Author: Jason Brown <ja...@gmail.com>
Authored: Wed Nov 12 15:58:13 2014 -0800
Committer: Jason Brown <ja...@gmail.com>
Committed: Wed Nov 12 15:58:13 2014 -0800
----------------------------------------------------------------------
CHANGES.txt | 1 +
src/java/org/apache/cassandra/security/SSLFactory.java | 4 ++++
.../org/apache/cassandra/thrift/CustomTThreadPoolServer.java | 4 ++++
src/java/org/apache/cassandra/transport/Server.java | 1 +
src/java/org/apache/cassandra/transport/SimpleClient.java | 1 +
5 files changed, 11 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cassandra/blob/b93f48a5/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index 47e611c..809a102 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
2.0.12:
+ * Disable SSLv3 for POODLE (CASSANDRA-8265)
* Fix millisecond timestamps in Tracing (CASSANDRA-8297)
* Include keyspace name in error message when there are insufficient
live nodes to stream from (CASSANDRA-8221)
http://git-wip-us.apache.org/repos/asf/cassandra/blob/b93f48a5/src/java/org/apache/cassandra/security/SSLFactory.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java
index 3cb0670..260c828 100644
--- a/src/java/org/apache/cassandra/security/SSLFactory.java
+++ b/src/java/org/apache/cassandra/security/SSLFactory.java
@@ -61,6 +61,7 @@ public final class SSLFactory
String[] suits = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites);
serverSocket.setEnabledCipherSuites(suits);
serverSocket.setNeedClientAuth(options.require_client_auth);
+ serverSocket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
serverSocket.bind(new InetSocketAddress(address, port), 500);
return serverSocket;
}
@@ -72,6 +73,7 @@ public final class SSLFactory
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port, localAddress, localPort);
String[] suits = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suits);
+ socket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
return socket;
}
@@ -82,6 +84,7 @@ public final class SSLFactory
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port);
String[] suits = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suits);
+ socket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
return socket;
}
@@ -92,6 +95,7 @@ public final class SSLFactory
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket();
String[] suits = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suits);
+ socket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
return socket;
}
http://git-wip-us.apache.org/repos/asf/cassandra/blob/b93f48a5/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
index d1a3304..3111deb 100644
--- a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
+++ b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
@@ -27,6 +27,8 @@ import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
+import javax.net.ssl.SSLServerSocket;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -251,6 +253,8 @@ public class CustomTThreadPoolServer extends TServer
params.requireClientAuth(true);
}
TServerSocket sslServer = TSSLTransportFactory.getServerSocket(addr.getPort(), 0, addr.getAddress(), params);
+ SSLServerSocket sslServerSocket = (SSLServerSocket) sslServer.getServerSocket();
+ sslServerSocket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
serverTransport = new TCustomServerSocket(sslServer.getServerSocket(), args.keepAlive, args.sendBufferSize, args.recvBufferSize);
}
else
http://git-wip-us.apache.org/repos/asf/cassandra/blob/b93f48a5/src/java/org/apache/cassandra/transport/Server.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/transport/Server.java b/src/java/org/apache/cassandra/transport/Server.java
index f095776..092e1ba 100644
--- a/src/java/org/apache/cassandra/transport/Server.java
+++ b/src/java/org/apache/cassandra/transport/Server.java
@@ -296,6 +296,7 @@ public class Server implements CassandraDaemon.Server
sslEngine.setUseClientMode(false);
sslEngine.setEnabledCipherSuites(encryptionOptions.cipher_suites);
sslEngine.setNeedClientAuth(encryptionOptions.require_client_auth);
+ sslEngine.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
SslHandler sslHandler = new SslHandler(sslEngine);
sslHandler.setIssueHandshake(true);
http://git-wip-us.apache.org/repos/asf/cassandra/blob/b93f48a5/src/java/org/apache/cassandra/transport/SimpleClient.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/transport/SimpleClient.java b/src/java/org/apache/cassandra/transport/SimpleClient.java
index 5f2efda..3bcf751 100644
--- a/src/java/org/apache/cassandra/transport/SimpleClient.java
+++ b/src/java/org/apache/cassandra/transport/SimpleClient.java
@@ -259,6 +259,7 @@ public class SimpleClient
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(true);
sslEngine.setEnabledCipherSuites(encryptionOptions.cipher_suites);
+ sslEngine.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
ChannelPipeline pipeline = super.getPipeline();
pipeline.addFirst("ssl", new SslHandler(sslEngine));