You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sp...@apache.org on 2018/02/14 10:32:15 UTC
cassandra git commit: Use JRE default key store algorithm instead of
SunX509
Repository: cassandra
Updated Branches:
refs/heads/trunk 0bc2164df -> bb9aa0988
Use JRE default key store algorithm instead of SunX509
patch by Stefan Podkowinski; reviewed by Jason Brown for CASSANRA-13259
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/bb9aa098
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/bb9aa098
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/bb9aa098
Branch: refs/heads/trunk
Commit: bb9aa098813b7f047f450086e18a78b149bb5349
Parents: 0bc2164
Author: Stefan Podkowinski <st...@1und1.de>
Authored: Thu Feb 23 13:17:39 2017 +0100
Committer: Stefan Podkowinski <st...@1und1.de>
Committed: Wed Feb 14 11:29:59 2018 +0100
----------------------------------------------------------------------
CHANGES.txt | 1 +
conf/cassandra.yaml | 2 --
src/java/org/apache/cassandra/config/EncryptionOptions.java | 2 +-
src/java/org/apache/cassandra/security/SSLFactory.java | 6 ++++--
src/java/org/apache/cassandra/tools/LoaderOptions.java | 2 +-
.../src/org/apache/cassandra/stress/settings/Legacy.java | 2 +-
.../apache/cassandra/stress/settings/SettingsTransport.java | 2 +-
7 files changed, 9 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cassandra/blob/bb9aa098/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index 54b587d..d69c631 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
4.0
+ * Use JVM default SSL validation algorithm instead of custom default (CASSANDRA-13259)
* Better document in code InetAddressAndPort usage post 7544, incorporate port into UUIDGen node (CASSANDRA-14226)
* Fix sstablemetadata date string for minLocalDeletionTime (CASSANDRA-14132)
* Make it possible to change neverPurgeTombstones during runtime (CASSANDRA-14214)
http://git-wip-us.apache.org/repos/asf/cassandra/blob/bb9aa098/conf/cassandra.yaml
----------------------------------------------------------------------
diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
index 9acc6d6..0a954b4 100644
--- a/conf/cassandra.yaml
+++ b/conf/cassandra.yaml
@@ -961,7 +961,6 @@ server_encryption_options:
truststore_password: cassandra
# More advanced defaults below:
# protocol: TLS
- # algorithm: SunX509
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
# require_client_auth: false
@@ -980,7 +979,6 @@ client_encryption_options:
# truststore_password: cassandra
# More advanced defaults below:
# protocol: TLS
- # algorithm: SunX509
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
http://git-wip-us.apache.org/repos/asf/cassandra/blob/bb9aa098/src/java/org/apache/cassandra/config/EncryptionOptions.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java
index aecbfca..5260dff 100644
--- a/src/java/org/apache/cassandra/config/EncryptionOptions.java
+++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java
@@ -25,7 +25,7 @@ public class EncryptionOptions
public String truststore_password = "cassandra";
public String[] cipher_suites = {};
public String protocol = "TLS";
- public String algorithm = "SunX509";
+ public String algorithm = null;
public String store_type = "JKS";
public boolean require_client_auth = false;
public boolean require_endpoint_verification = false;
http://git-wip-us.apache.org/repos/asf/cassandra/blob/bb9aa098/src/java/org/apache/cassandra/security/SSLFactory.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java
index 0bf769c..395ea42 100644
--- a/src/java/org/apache/cassandra/security/SSLFactory.java
+++ b/src/java/org/apache/cassandra/security/SSLFactory.java
@@ -171,7 +171,8 @@ public final class SSLFactory
{
try (InputStream tsf = Files.newInputStream(Paths.get(options.truststore)))
{
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(options.algorithm);
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(
+ options.algorithm == null ? TrustManagerFactory.getDefaultAlgorithm() : options.algorithm);
KeyStore ts = KeyStore.getInstance(options.store_type);
ts.load(tsf, options.truststore_password.toCharArray());
tmf.init(ts);
@@ -187,7 +188,8 @@ public final class SSLFactory
{
try (InputStream ksf = Files.newInputStream(Paths.get(options.keystore)))
{
- KeyManagerFactory kmf = KeyManagerFactory.getInstance(options.algorithm);
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance(
+ options.algorithm == null ? KeyManagerFactory.getDefaultAlgorithm() : options.algorithm);
KeyStore ks = KeyStore.getInstance(options.store_type);
ks.load(ksf, options.keystore_password.toCharArray());
if (!checkedExpiry)
http://git-wip-us.apache.org/repos/asf/cassandra/blob/bb9aa098/src/java/org/apache/cassandra/tools/LoaderOptions.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/tools/LoaderOptions.java b/src/java/org/apache/cassandra/tools/LoaderOptions.java
index 4646ba4..3686584 100644
--- a/src/java/org/apache/cassandra/tools/LoaderOptions.java
+++ b/src/java/org/apache/cassandra/tools/LoaderOptions.java
@@ -610,7 +610,7 @@ public class LoaderOptions
options.addOption("ks", SSL_KEYSTORE, "KEYSTORE", "Client SSL: full path to keystore");
options.addOption("kspw", SSL_KEYSTORE_PW, "KEYSTORE-PASSWORD", "Client SSL: password of the keystore");
options.addOption("prtcl", SSL_PROTOCOL, "PROTOCOL", "Client SSL: connections protocol to use (default: TLS)");
- options.addOption("alg", SSL_ALGORITHM, "ALGORITHM", "Client SSL: algorithm (default: SunX509)");
+ options.addOption("alg", SSL_ALGORITHM, "ALGORITHM", "Client SSL: algorithm");
options.addOption("st", SSL_STORE_TYPE, "STORE-TYPE", "Client SSL: type of store");
options.addOption("ciphers", SSL_CIPHER_SUITES, "CIPHER-SUITES", "Client SSL: comma-separated list of encryption suites to use");
options.addOption("f", CONFIG_PATH, "path to config file", "cassandra.yaml file path for streaming throughput and client/server SSL.");
http://git-wip-us.apache.org/repos/asf/cassandra/blob/bb9aa098/tools/stress/src/org/apache/cassandra/stress/settings/Legacy.java
----------------------------------------------------------------------
diff --git a/tools/stress/src/org/apache/cassandra/stress/settings/Legacy.java b/tools/stress/src/org/apache/cassandra/stress/settings/Legacy.java
index f9cbe8e..ba94e3f 100644
--- a/tools/stress/src/org/apache/cassandra/stress/settings/Legacy.java
+++ b/tools/stress/src/org/apache/cassandra/stress/settings/Legacy.java
@@ -74,7 +74,7 @@ public class Legacy implements Serializable
availableOptions.addOption("ts", SSL_TRUSTSTORE, true, "SSL: full path to truststore");
availableOptions.addOption("tspw", SSL_TRUSTSTORE_PW, true, "SSL: full path to truststore");
availableOptions.addOption("prtcl", SSL_PROTOCOL, true, "SSL: connections protocol to use (default: TLS)");
- availableOptions.addOption("alg", SSL_ALGORITHM, true, "SSL: algorithm (default: SunX509)");
+ availableOptions.addOption("alg", SSL_ALGORITHM, true, "SSL: algorithm");
availableOptions.addOption("st", SSL_STORE_TYPE, true, "SSL: type of store");
availableOptions.addOption("ciphers", SSL_CIPHER_SUITES, true, "SSL: comma-separated list of encryption suites to use");
availableOptions.addOption("th", "throttle", true, "Throttle the total number of operations per second to a maximum amount.");
http://git-wip-us.apache.org/repos/asf/cassandra/blob/bb9aa098/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java
----------------------------------------------------------------------
diff --git a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java
index 6acc500..9b8eaa0 100644
--- a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java
+++ b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java
@@ -73,7 +73,7 @@ public class SettingsTransport implements Serializable
final OptionSimple keyStore = new OptionSimple("keystore=", ".*", null, "SSL: full path to keystore", false);
final OptionSimple keyStorePw = new OptionSimple("keystore-password=", ".*", null, "SSL: keystore password", false);
final OptionSimple protocol = new OptionSimple("ssl-protocol=", ".*", "TLS", "SSL: connection protocol to use", false);
- final OptionSimple alg = new OptionSimple("ssl-alg=", ".*", "SunX509", "SSL: algorithm", false);
+ final OptionSimple alg = new OptionSimple("ssl-alg=", ".*", null, "SSL: algorithm", false);
final OptionSimple ciphers = new OptionSimple("ssl-ciphers=", ".*", "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA", "SSL: comma delimited list of encryption suites to use", false);
@Override
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org