You are viewing a plain text version of this content. The canonical link for it is here.

Posted to pr@cassandra.apache.org by GitBox <gi...@apache.org> on 2022/04/05 00:49:24 UTC

[GitHub] [cassandra] bschoening opened a new pull request, #1548: Cassandra-17365 remove deprecated version specific TLS

bschoening opened a new pull request, #1548:
URL: https://github.com/apache/cassandra/pull/1548

   Replaces version specific TLS with auto-negotiation of the highest protocol version that both the client and server support.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org

[GitHub] [cassandra] smiklosovic commented on a diff in pull request #1548: Cassandra-17365 remove deprecated version specific TLS

Posted by GitBox <gi...@apache.org>.

smiklosovic commented on code in PR #1548:
URL: https://github.com/apache/cassandra/pull/1548#discussion_r842748514


##########
pylib/cqlshlib/sslhandling.py:
##########
@@ -48,32 +48,11 @@ def get_option(section, option):
         except configparser.Error:
             return None
 
-    def get_best_tls_protocol(ssl_ver_str):
-        # newer python versions suggest to use PROTOCOL_TLS to negotiate the highest TLS version.
-        # older protocol versions have been deprecated:
-        # https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_TLS
-        # https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS
-        if ssl_ver_str:
-            return getattr(ssl, "PROTOCOL_%s" % ssl_ver_str, None)

Review Comment:
   add here warning instead of this return, remove the next for loop completely and just return `ssl.PROTOCOL_TLS`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org

[GitHub] [cassandra] bschoening closed pull request #1548: Cassandra-17365 remove deprecated version specific TLS

Posted by GitBox <gi...@apache.org>.

bschoening closed pull request #1548: Cassandra-17365 remove deprecated version specific TLS
URL: https://github.com/apache/cassandra/pull/1548


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org

[GitHub] [cassandra] smiklosovic commented on a diff in pull request #1548: Cassandra-17365 remove deprecated version specific TLS

Posted by GitBox <gi...@apache.org>.

smiklosovic commented on code in PR #1548:
URL: https://github.com/apache/cassandra/pull/1548#discussion_r842746495


##########
pylib/cqlshlib/sslhandling.py:
##########
@@ -48,32 +48,11 @@ def get_option(section, option):
         except configparser.Error:
             return None
 
-    def get_best_tls_protocol(ssl_ver_str):
-        # newer python versions suggest to use PROTOCOL_TLS to negotiate the highest TLS version.
-        # older protocol versions have been deprecated:
-        # https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_TLS
-        # https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS
-        if ssl_ver_str:
-            return getattr(ssl, "PROTOCOL_%s" % ssl_ver_str, None)
-        for protocol in ['PROTOCOL_TLS', 'PROTOCOL_TLSv1_2', 'PROTOCOL_TLSv1_1', 'PROTOCOL_TLSv1']:
-            if hasattr(ssl, protocol):
-                return getattr(ssl, protocol)
-        return ssl.PROTOCOL_TLS
-
     ssl_validate = env.get('SSL_VALIDATE')
     if ssl_validate is None:
         ssl_validate = get_option('ssl', 'validate')
     ssl_validate = ssl_validate is None or ssl_validate.lower() != 'false'
 
-    ssl_version_str = env.get('SSL_VERSION')
-    if ssl_version_str is None:
-        ssl_version_str = get_option('ssl', 'version')
-
-    ssl_version = get_best_tls_protocol(ssl_version_str)
-    if ssl_version is None:

Review Comment:
   @bschoening remove this if as get_best_tls_protocol will always return ssl.PROTOCOL_TLS



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org

[GitHub] [cassandra] smiklosovic commented on a diff in pull request #1548: Cassandra-17365 remove deprecated version specific TLS

Posted by GitBox <gi...@apache.org>.

smiklosovic commented on code in PR #1548:
URL: https://github.com/apache/cassandra/pull/1548#discussion_r842748514


##########
pylib/cqlshlib/sslhandling.py:
##########
@@ -48,32 +48,11 @@ def get_option(section, option):
         except configparser.Error:
             return None
 
-    def get_best_tls_protocol(ssl_ver_str):
-        # newer python versions suggest to use PROTOCOL_TLS to negotiate the highest TLS version.
-        # older protocol versions have been deprecated:
-        # https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_TLS
-        # https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS
-        if ssl_ver_str:
-            return getattr(ssl, "PROTOCOL_%s" % ssl_ver_str, None)

Review Comment:
   add here warning instead this return, remove next for loop completely and just return `ssl.PROTOCOL_TLS`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org

[GitHub] [cassandra] smiklosovic commented on a diff in pull request #1548: Cassandra-17365 remove deprecated version specific TLS

Posted by GitBox <gi...@apache.org>.

smiklosovic commented on code in PR #1548:
URL: https://github.com/apache/cassandra/pull/1548#discussion_r842748514


##########
pylib/cqlshlib/sslhandling.py:
##########
@@ -48,32 +48,11 @@ def get_option(section, option):
         except configparser.Error:
             return None
 
-    def get_best_tls_protocol(ssl_ver_str):
-        # newer python versions suggest to use PROTOCOL_TLS to negotiate the highest TLS version.
-        # older protocol versions have been deprecated:
-        # https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_TLS
-        # https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS
-        if ssl_ver_str:
-            return getattr(ssl, "PROTOCOL_%s" % ssl_ver_str, None)

Review Comment:
   add here warning instead this return, remove next for loop completely and after if, just return `ssl.PROTOCOL_TLS`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org

[GitHub] [cassandra] smiklosovic commented on a diff in pull request #1548: Cassandra-17365 remove deprecated version specific TLS

Posted by GitBox <gi...@apache.org>.

smiklosovic commented on code in PR #1548:
URL: https://github.com/apache/cassandra/pull/1548#discussion_r842747023


##########
pylib/cqlshlib/sslhandling.py:
##########
@@ -96,5 +75,5 @@ def get_best_tls_protocol(ssl_ver_str):
 
     return dict(ca_certs=ssl_certfile,
                 cert_reqs=ssl.CERT_REQUIRED if ssl_validate else ssl.CERT_NONE,
-                ssl_version=ssl_version,
+                ssl_version=ssl.PROTOCOL_TLS,

Review Comment:
   leave `ssl_version` as it will be always resolved as `ssl.PROTOCOL_TLS`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org