You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Vijay (Commented) (JIRA)" <ji...@apache.org> on 2011/10/05 22:44:30 UTC
[jira] [Commented] (CASSANDRA-3278) SSLFactory should not enable
cipher suites that aren't supported
[ https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13121456#comment-13121456 ]
Vijay commented on CASSANDRA-3278:
----------------------------------
George,
Thanks for the patch,
The problem with the cached is that we need to restart the whole cluster when we change the KS/TS, instead we will have the flexibility if the new connections will just pick it up. We persist the connections untill disconnect hence the performance shouldn't be a concern. Also there can be variety of ssl client (example fat clients) which may have different sets of supported suits (caching one might not help).
1) cassandra-3278-nocache isn't a patch by itself (Can you rebase it?)
2) in the non cached one, If we can log a info on the filtered suit it will be great,
Just a side note... I would use Sets.intersection to reduce the amount of code :)
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Priority: Minor
> Fix For: 0.8.8, 1.0.0
>
> Attachments: cassandra-3278-cache.txt, cassandra-3278-nocache.txt
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])] fails on systems that don't have [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html] because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in SSLFactory.java should call [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()] to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira