You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Stefan Podkowinski (JIRA)" <ji...@apache.org> on 2016/03/23 13:25:25 UTC
[jira] [Commented] (CASSANDRA-11405) Server encryption cannot be
enabled with the IBM JRE 1.7
[ https://issues.apache.org/jira/browse/CASSANDRA-11405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15208330#comment-15208330 ]
Stefan Podkowinski commented on CASSANDRA-11405:
------------------------------------------------
This has been addressed in CASSANDRA-10508, but likely won't be back ported to 2.2, as the issue doesn't effect supported JDKs.
> Server encryption cannot be enabled with the IBM JRE 1.7
> --------------------------------------------------------
>
> Key: CASSANDRA-11405
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11405
> Project: Cassandra
> Issue Type: Bug
> Components: Configuration
> Environment: Linux, IBM JRE 1.7
> Reporter: Guillermo Vega-Toro
> Fix For: 2.2.6
>
>
> When enabling server encryption with the IBM JRE (algorithm: IbmX509), an IllegalArgumentException is thrown from the IBM JSSE when the server is started:
> ERROR 10:04:37,326 Exception encountered during startup
> java.lang.IllegalArgumentException: SSLv2Hello
> at com.ibm.jsse2.qb.a(qb.java:50)
> at com.ibm.jsse2.pb.a(pb.java:101)
> at com.ibm.jsse2.pb.<init>(pb.java:77)
> at com.ibm.jsse2.oc.setEnabledProtocols(oc.java:77)
> at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:64)
> at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:425)
> at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:409)
> at org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:693)
> at org.apache.cassandra.service.StorageService.initServer(StorageService.java:623)
> at org.apache.cassandra.service.StorageService.initServer(StorageService.java:515)
> at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:437)
> at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:567)
> at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:656)
> The problem is that the IBM JSSE does not support SSLv2Hello, but this protocol is hard-coded in class org.apache.cassandra.security.SSLFactory:
> public static final String[] ACCEPTED_PROTOCOLS = new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"};
> public static SSLServerSocket getServerSocket(EncryptionOptions options, InetAddress address, int port) throws IOException
> {
> SSLContext ctx = createSSLContext(options, true);
> SSLServerSocket serverSocket = (SSLServerSocket)ctx.getServerSocketFactory().createServerSocket();
> serverSocket.setReuseAddress(true);
> String[] suits = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites);
> serverSocket.setEnabledCipherSuites(suits);
> serverSocket.setNeedClientAuth(options.require_client_auth);
> serverSocket.setEnabledProtocols(ACCEPTED_PROTOCOLS);
> serverSocket.bind(new InetSocketAddress(address, port), 500);
> return serverSocket;
> }
> This ACCEPTED_PROTOCOLS array should not be hard-coded. It should rather read the protocols from configuration, or if the algorithm is IbmX509, simply do not call setEnabledProtocols - with the IBM JSSE, the enabled protocol is controlled by the protocol passed to SSLContext.getInstance.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)