You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Ekaterina Dimitrova (Jira)" <ji...@apache.org> on 2020/06/15 13:26:00 UTC

[jira] [Commented] (CASSANDRA-15262) Update defaults for server and client TLS settings

    [ https://issues.apache.org/jira/browse/CASSANDRA-15262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17135852#comment-17135852 ] 

Ekaterina Dimitrova commented on CASSANDRA-15262:
-------------------------------------------------

Ok, looks like going back and forth I lost track at some point where it is committed.

Thank you for the patch and the rebase. I just went through the CI runs results. LGTM +1

I am not a committer, unfortunately.

> Update defaults for server and client TLS settings
> --------------------------------------------------
>
>                 Key: CASSANDRA-15262
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15262
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Local/Config
>            Reporter: Joey Lynch
>            Assignee: Joey Lynch
>            Priority: Normal
>             Fix For: 4.0, 4.0-alpha
>
>
> The current `server_encryption_options` configuration options are as follows:
> {noformat}
> server_encryption_options:
>     # set to true for allowing secure incoming connections
>     enabled: false
>     # If enabled and optional are both set to true, encrypted and unencrypted connections are handled on the storage_port
>     optional: false
>     # if enabled, will open up an encrypted listening socket on ssl_storage_port. Should be used
>     # during upgrade to 4.0; otherwise, set to false.
>     enable_legacy_ssl_storage_port: false
>     # on outbound connections, determine which type of peers to securely connect to. 'enabled' must be set to true.
>     internode_encryption: none
>     keystore: conf/.keystore
>     keystore_password: cassandra
>     truststore: conf/.truststore
>     truststore_password: cassandra
>     # More advanced defaults below:
>     # protocol: TLS
>     # store_type: JKS
>     # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
>     # require_client_auth: false
>     # require_endpoint_verification: false
> {noformat}
> A couple of issues here:
> 1. optional defaults to false, which will break existing TLS configurations for (from what I can tell) no particularly good reason
> 2. The provided protocol and cipher suites are not good ideas (in particular encouraging anyone to use CBC ciphers is a bad plan
> I propose that before the 4.0 cut we fixup server_encryption_options and even client_encryption_options :
> # Change the default {{optional}} setting to true. As the new Netty code intelligently decides to open a TLS connection or not this is the more sensible default (saves operators a step while transitioning to TLS as well)
> # Update the defaults to what netty actually defaults to



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org