You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sn...@apache.org on 2016/03/16 20:37:03 UTC
cassandra git commit: Remove hard-coded SSL cipher suites and
protocols
Repository: cassandra
Updated Branches:
refs/heads/trunk e5394f192 -> e4a0a4bf6
Remove hard-coded SSL cipher suites and protocols
patch by Stefan Podkowinski; reviewed by Robert Stupp for CASSANDRA-10508
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/e4a0a4bf
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/e4a0a4bf
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/e4a0a4bf
Branch: refs/heads/trunk
Commit: e4a0a4bf65a87c3aabae4ee0cc35009879e2d455
Parents: e5394f1
Author: Stefan Podkowinski <ji...@midnightdrift.com>
Authored: Wed Mar 16 20:36:44 2016 +0100
Committer: Robert Stupp <sn...@snazy.de>
Committed: Wed Mar 16 20:36:44 2016 +0100
----------------------------------------------------------------------
CHANGES.txt | 1 +
conf/cassandra.yaml | 12 ++++++++----
.../org/apache/cassandra/config/EncryptionOptions.java | 8 +++-----
src/java/org/apache/cassandra/security/SSLFactory.java | 5 -----
.../cassandra/thrift/CustomTThreadPoolServer.java | 3 +--
src/java/org/apache/cassandra/transport/Server.java | 1 -
.../org/apache/cassandra/transport/SimpleClient.java | 1 -
7 files changed, 13 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cassandra/blob/e4a0a4bf/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index 8eb0c1f..3e99561 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
3.6
+ * Remove hard-coded SSL cipher suites and protocols (CASSANDRA-10508)
* Improve concurrency in CompactionStrategyManager (CASSANDRA-10099)
* (cqlsh) interpret CQL type for formatting blobs (CASSANDRA-11274)
* Refuse to start and print txn log information in case of disk
http://git-wip-us.apache.org/repos/asf/cassandra/blob/e4a0a4bf/conf/cassandra.yaml
----------------------------------------------------------------------
diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
index fe8f3c0..9883533 100644
--- a/conf/cassandra.yaml
+++ b/conf/cassandra.yaml
@@ -876,10 +876,14 @@ request_scheduler: org.apache.cassandra.scheduler.NoScheduler
# request_scheduler_id: keyspace
# Enable or disable inter-node encryption
-# Default settings are TLS v1, RSA 1024-bit keys (it is imperative that
-# users generate their own keys) TLS_RSA_WITH_AES_128_CBC_SHA as the cipher
-# suite for authentication, key exchange and encryption of the actual data transfers.
-# Use the DHE/ECDHE ciphers if running in FIPS 140 compliant mode.
+# JVM defaults for supported SSL socket protocols and cipher suites can
+# be replaced using custom encryption options. This is not recommended
+# unless you have policies in place that dictate certain settings, or
+# need to disable vulnerable ciphers or protocols in case the JVM cannot
+# be updated.
+# FIPS compliant settings can be configured at JVM level and should not
+# involve changing encryption settings here:
+# https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html
# NOTE: No custom encryption options are enabled at the moment
# The available internode options are : all, none, dc, rack
#
http://git-wip-us.apache.org/repos/asf/cassandra/blob/e4a0a4bf/src/java/org/apache/cassandra/config/EncryptionOptions.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java
index 31f8b4a..526e356 100644
--- a/src/java/org/apache/cassandra/config/EncryptionOptions.java
+++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java
@@ -17,17 +17,15 @@
*/
package org.apache.cassandra.config;
+import javax.net.ssl.SSLSocketFactory;
+
public abstract class EncryptionOptions
{
public String keystore = "conf/.keystore";
public String keystore_password = "cassandra";
public String truststore = "conf/.truststore";
public String truststore_password = "cassandra";
- public String[] cipher_suites = {
- "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA",
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
- };
+ public String[] cipher_suites = ((SSLSocketFactory)SSLSocketFactory.getDefault()).getDefaultCipherSuites();
public String protocol = "TLS";
public String algorithm = "SunX509";
public String store_type = "JKS";
http://git-wip-us.apache.org/repos/asf/cassandra/blob/e4a0a4bf/src/java/org/apache/cassandra/security/SSLFactory.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java
index a327de9..bef4a60 100644
--- a/src/java/org/apache/cassandra/security/SSLFactory.java
+++ b/src/java/org/apache/cassandra/security/SSLFactory.java
@@ -53,7 +53,6 @@ import com.google.common.collect.Sets;
public final class SSLFactory
{
private static final Logger logger = LoggerFactory.getLogger(SSLFactory.class);
- public static final String[] ACCEPTED_PROTOCOLS = new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"};
private static boolean checkedExpiry = false;
public static SSLServerSocket getServerSocket(EncryptionOptions options, InetAddress address, int port) throws IOException
@@ -64,7 +63,6 @@ public final class SSLFactory
String[] suites = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites);
serverSocket.setEnabledCipherSuites(suites);
serverSocket.setNeedClientAuth(options.require_client_auth);
- serverSocket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
serverSocket.bind(new InetSocketAddress(address, port), 500);
return serverSocket;
}
@@ -76,7 +74,6 @@ public final class SSLFactory
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port, localAddress, localPort);
String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suites);
- socket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
return socket;
}
@@ -87,7 +84,6 @@ public final class SSLFactory
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port);
String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suites);
- socket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
return socket;
}
@@ -98,7 +94,6 @@ public final class SSLFactory
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket();
String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
socket.setEnabledCipherSuites(suites);
- socket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
return socket;
}
http://git-wip-us.apache.org/repos/asf/cassandra/blob/e4a0a4bf/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
index acdf31c..46da9d5 100644
--- a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
+++ b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
@@ -256,8 +256,7 @@ public class CustomTThreadPoolServer extends TServer
SSLServerSocket sslServerSocket = (SSLServerSocket) sslServer.getServerSocket();
String[] suites = SSLFactory.filterCipherSuites(sslServerSocket.getSupportedCipherSuites(), clientEnc.cipher_suites);
sslServerSocket.setEnabledCipherSuites(suites);
- sslServerSocket.setEnabledProtocols(SSLFactory.ACCEPTED_PROTOCOLS);
- serverTransport = new TCustomServerSocket(sslServer.getServerSocket(), args.keepAlive, args.sendBufferSize, args.recvBufferSize);
+ serverTransport = new TCustomServerSocket(sslServerSocket, args.keepAlive, args.sendBufferSize, args.recvBufferSize);
}
else
{
http://git-wip-us.apache.org/repos/asf/cassandra/blob/e4a0a4bf/src/java/org/apache/cassandra/transport/Server.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/transport/Server.java b/src/java/org/apache/cassandra/transport/Server.java
index 76aedb7..caac58c 100644
--- a/src/java/org/apache/cassandra/transport/Server.java
+++ b/src/java/org/apache/cassandra/transport/Server.java
@@ -361,7 +361,6 @@ public class Server implements CassandraDaemon.Server
String[] suites = SSLFactory.filterCipherSuites(sslEngine.getSupportedCipherSuites(), encryptionOptions.cipher_suites);
sslEngine.setEnabledCipherSuites(suites);
sslEngine.setNeedClientAuth(encryptionOptions.require_client_auth);
- sslEngine.setEnabledProtocols(SSLFactory.ACCEPTED_PROTOCOLS);
return new SslHandler(sslEngine);
}
}
http://git-wip-us.apache.org/repos/asf/cassandra/blob/e4a0a4bf/src/java/org/apache/cassandra/transport/SimpleClient.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/transport/SimpleClient.java b/src/java/org/apache/cassandra/transport/SimpleClient.java
index 4759c2a..6e20cfa 100644
--- a/src/java/org/apache/cassandra/transport/SimpleClient.java
+++ b/src/java/org/apache/cassandra/transport/SimpleClient.java
@@ -293,7 +293,6 @@ public class SimpleClient implements Closeable
sslEngine.setUseClientMode(true);
String[] suites = SSLFactory.filterCipherSuites(sslEngine.getSupportedCipherSuites(), encryptionOptions.cipher_suites);
sslEngine.setEnabledCipherSuites(suites);
- sslEngine.setEnabledProtocols(SSLFactory.ACCEPTED_PROTOCOLS);
channel.pipeline().addFirst("ssl", new SslHandler(sslEngine));
}
}