You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Lou DeGenaro <lo...@gmail.com> on 2018/04/20 12:41:42 UTC
How to configure Cassandra to NOT use SSLv2?
Running Cassandra produces the following error message:
"SSLv2Hello is not a recognized protocol"
because the JVM being used does not support SSLv2. The JVM does not support
SSLv2 because "it's a HUGE security risk."
How does one configure Cassandra to *not* use SSLv2?
Thanks.
Lou.
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Stefan Podkowinski <sp...@apache.org>.
The hard-coded protocol selection has been remove in one of the 3.x
releases. You may want to consider updating to the latest 3.11 release.
On 24.04.18 19:21, Lou DeGenaro wrote:
> Here's is what I was told by IBM JVM Support:
>
> ...the string "SSLv2Hello" is not supported in IBM JVM but more
> importantly, the protocol SSLv2 is no longer a valid protocol in
> our JVM. We don't even have SSLv3 enabled by default due to the
> HIGH severity vulnerabilities this protocol has.
>
> Is there anything I can do to use IBM JVM and Cassandra with encryption?
>
> Thanks.
>
> Lou.
>
> On Tue, Apr 24, 2018 at 12:41 PM, Michael Shuler
> <michael@pbandjelly.org <ma...@pbandjelly.org>> wrote:
>
> Correct!
>
> Thanks for the trace, Lou.
>
> SSLFactory.java:67 specifies a list of protocols, including
> SSLv2Hello.
>
> "It [IBM JSSE] does not support specifying SSLv2Hello."
> https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/knowndiffsun.html
> <https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/knowndiffsun.html>
>
> Apache Cassandra is tested on Oracle JDK and OpenJDK. Use a supported
> version of either of those, and this problem should go away.
> Alternatively, do a custom build of Cassandra, if you must run a
> little-used JDK?
>
> Also, just for a little additional info, SSLv2Hello != SSLv2, so I do
> not believe that there is a worry about some weak protocol here.
> https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4915862
> <https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4915862>
>
> --
> Kind regards,
> Michael
>
> On 04/24/2018 11:23 AM, Marcus Haarmann wrote:
> > OK, this is IBM JDK. The options might differ. I have been
> searching for
> > Oracle Java options.
> > You will need to consult the IBM documentation in this case.
> >
> > Marcus Haarmann
> >
> >
> ------------------------------------------------------------------------
> > *Von: *"Lou DeGenaro" <lou.degenaro@gmail.com
> <ma...@gmail.com>>
> > *An: *"user" <user@cassandra.apache.org
> <ma...@cassandra.apache.org>>
> > *Gesendet: *Dienstag, 24. April 2018 16:08:06
> > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2?
> >
> > Thanks for your suggestions. I tried using the -D shown below:
> >
> > degenaro@bluej421:/users/degenaro/cassandra/bluej421>
> ./bin/cassandra
> > degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl
> > --interleave=all /share/ibm-jdk1.8/bin/java
> > -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello
> > -Xloggc:./bin/../logs/gc.log -XX:+UseParNewGC
> > -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled
> > -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1
> > -XX:CMSInitiatingOccupancyFraction=75
> > -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000...
> > ...
> > WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA,
> > TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by
> the socket
> > Exception (java.lang.IllegalArgumentException) encountered
> during
> > startup: SSLv2Hello is not a recognized protocol.
> > java.lang.IllegalArgumentException: SSLv2Hello is not a
> recognized
> > protocol.
> > at com.ibm.jsse2.S.a(S.java:112)
> > at com.ibm.jsse2.S.b(S.java:136)
> > at com.ibm.jsse2.S.<init>(S.java:177)
> > at com.ibm.jsse2.as
> <http://com.ibm.jsse2.as>.setEnabledProtocols(as.java:2)
> > at
> >
> org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:67)
> > at
> > org.apache.cassandra.net
> <http://org.apache.cassandra.net>.MessagingService.getServerSockets(MessagingService.java:514)
> > at
> > org.apache.cassandra.net
> <http://org.apache.cassandra.net>.MessagingService.listen(MessagingService.java:498)
> > at
> > org.apache.cassandra.net
> <http://org.apache.cassandra.net>.MessagingService.listen(MessagingService.java:482)
> > at
> >
> org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:765)
> > at
> >
> org.apache.cassandra.service.StorageService.initServer(StorageService.java:654)
> > at
> >
> org.apache.cassandra.service.StorageService.initServer(StorageService.java:534)
> > at
> >
> org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:344)
> > at
> >
> org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:568)
> > at
> >
> org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:696)
> > ERROR 14:01:09 Exception encountered during startup
> > java.lang.IllegalArgumentException: SSLv2Hello is not a
> recognized
> > protocol.
> >
> >
> > Who is at fault: user, Cassandra, JVM, OS?
> >
> > Thanks.
> >
> > Lou.
> >
> >
> >
> >
> >
> >
> > On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann
> > <marcus.haarmann@midoco.de <ma...@midoco.de>
> <mailto:marcus.haarmann@midoco.de
> <ma...@midoco.de>>> wrote:
> >
> > Hi,
> >
> > I did take a look into the source code of 3.11, but I
> believe the
> > code is more or less the same.
> > The SSL code makes use of Java SSL Sockets so you can limit the
> > protocols in the "Java way".
> > The java way (at least for a recent Java 8) is to setup the
> > protocols in the <jre>/lib/security/java.security file.
> > Or to define a system property on the command line
> > (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello).
> >
> > There are multiple options for SSL configuration in the config
> >
> (https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html
> <https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html>)
> > The most interesting one in your situation would be the
> > cipher_suites option, which allows you
> > to limit the avaliable cipher suites e.g.
> > to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > (which is a TLS1.2-only cipher suite).
> >
> > You can check the offered protocols for your server with an open
> > source tool like sslyze
> (https://github.com/nabla-c0d3/sslyze
> <https://github.com/nabla-c0d3/sslyze>)
> >
> > Marcus Haarmann
> >
> >
> ------------------------------------------------------------------------
> > *Von: *"Lou DeGenaro" <lou.degenaro@gmail.com
> <ma...@gmail.com>
> > <mailto:lou.degenaro@gmail.com <ma...@gmail.com>>>
> > *An: *"user" <user@cassandra.apache.org
> <ma...@cassandra.apache.org>
> > <mailto:user@cassandra.apache.org
> <ma...@cassandra.apache.org>>>
> > *Gesendet: *Dienstag, 24. April 2018 11:21:06
> > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2?
> >
> > Can someone please can tell me how to prevent Cassandra
> 3.0.9 from
> > using SSLv2? Happy to use a newer version of Cassandra if
> that's
> > what's required.
> >
> > On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro
> > <lou.degenaro@gmail.com <ma...@gmail.com>
> <mailto:lou.degenaro@gmail.com <ma...@gmail.com>>>
> wrote:
> >
> > 3.0.9
> >
> > On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler
> > <michael@pbandjelly.org <ma...@pbandjelly.org>
> <mailto:michael@pbandjelly.org <ma...@pbandjelly.org>>>
> wrote:
> >
> > On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
> > > Could you be more specific? What does one specify
> exactly to assure
> > > SSLv2 is not used for both client-server and
> server-server
> > > communications? Example yaml statements would be
> wonderful.
> >
> > The defaults in cassandra.yaml have only TLS
> specified in
> > the current
> > branch HEADs. I'm pretty sure SSLv2/3 removal was a
> > post-POODLE commit.
> > It's possible you may be on something older - what
> version
> > are we
> > talking about?
> >
> > --
> > Michael
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > user-unsubscribe@cassandra.apache.org
> <ma...@cassandra.apache.org>
> > <mailto:user-unsubscribe@cassandra.apache.org
> <ma...@cassandra.apache.org>>
> > For additional commands, e-mail:
> > user-help@cassandra.apache.org
> <ma...@cassandra.apache.org>
> > <mailto:user-help@cassandra.apache.org
> <ma...@cassandra.apache.org>>
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> <ma...@cassandra.apache.org>
> For additional commands, e-mail: user-help@cassandra.apache.org
> <ma...@cassandra.apache.org>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Lou DeGenaro <lo...@gmail.com>.
Here's is what I was told by IBM JVM Support:
...the string "SSLv2Hello" is not supported in IBM JVM but
> more importantly, the protocol SSLv2 is no longer a valid protocol in
> our JVM.
> We don't even have SSLv3 enabled by default due to the HIGH severity
> vulnerabilities this protocol has.
>
> Is there anything I can do to use IBM JVM and Cassandra with encryption?
Thanks.
Lou.
On Tue, Apr 24, 2018 at 12:41 PM, Michael Shuler <mi...@pbandjelly.org>
wrote:
> Correct!
>
> Thanks for the trace, Lou.
>
> SSLFactory.java:67 specifies a list of protocols, including SSLv2Hello.
>
> "It [IBM JSSE] does not support specifying SSLv2Hello."
> https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.
> 0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/
> knowndiffsun.html
>
> Apache Cassandra is tested on Oracle JDK and OpenJDK. Use a supported
> version of either of those, and this problem should go away.
> Alternatively, do a custom build of Cassandra, if you must run a
> little-used JDK?
>
> Also, just for a little additional info, SSLv2Hello != SSLv2, so I do
> not believe that there is a worry about some weak protocol here.
> https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4915862
>
> --
> Kind regards,
> Michael
>
> On 04/24/2018 11:23 AM, Marcus Haarmann wrote:
> > OK, this is IBM JDK. The options might differ. I have been searching for
> > Oracle Java options.
> > You will need to consult the IBM documentation in this case.
> >
> > Marcus Haarmann
> >
> > ------------------------------------------------------------------------
> > *Von: *"Lou DeGenaro" <lo...@gmail.com>
> > *An: *"user" <us...@cassandra.apache.org>
> > *Gesendet: *Dienstag, 24. April 2018 16:08:06
> > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2?
> >
> > Thanks for your suggestions. I tried using the -D shown below:
> >
> > degenaro@bluej421:/users/degenaro/cassandra/bluej421>
> ./bin/cassandra
> > degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl
> > --interleave=all /share/ibm-jdk1.8/bin/java
> > -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello
> > -Xloggc:./bin/../logs/gc.log -XX:+UseParNewGC
> > -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled
> > -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1
> > -XX:CMSInitiatingOccupancyFraction=75
> > -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000...
> > ...
> > WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA,
> > TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by the
> socket
> > Exception (java.lang.IllegalArgumentException) encountered during
> > startup: SSLv2Hello is not a recognized protocol.
> > java.lang.IllegalArgumentException: SSLv2Hello is not a recognized
> > protocol.
> > at com.ibm.jsse2.S.a(S.java:112)
> > at com.ibm.jsse2.S.b(S.java:136)
> > at com.ibm.jsse2.S.<init>(S.java:177)
> > at com.ibm.jsse2.as.setEnabledProtocols(as.java:2)
> > at
> > org.apache.cassandra.security.SSLFactory.getServerSocket(
> SSLFactory.java:67)
> > at
> > org.apache.cassandra.net.MessagingService.getServerSockets(
> MessagingService.java:514)
> > at
> > org.apache.cassandra.net.MessagingService.listen(
> MessagingService.java:498)
> > at
> > org.apache.cassandra.net.MessagingService.listen(
> MessagingService.java:482)
> > at
> > org.apache.cassandra.service.StorageService.prepareToJoin(
> StorageService.java:765)
> > at
> > org.apache.cassandra.service.StorageService.initServer(
> StorageService.java:654)
> > at
> > org.apache.cassandra.service.StorageService.initServer(
> StorageService.java:534)
> > at
> > org.apache.cassandra.service.CassandraDaemon.setup(
> CassandraDaemon.java:344)
> > at
> > org.apache.cassandra.service.CassandraDaemon.activate(
> CassandraDaemon.java:568)
> > at
> > org.apache.cassandra.service.CassandraDaemon.main(
> CassandraDaemon.java:696)
> > ERROR 14:01:09 Exception encountered during startup
> > java.lang.IllegalArgumentException: SSLv2Hello is not a recognized
> > protocol.
> >
> >
> > Who is at fault: user, Cassandra, JVM, OS?
> >
> > Thanks.
> >
> > Lou.
> >
> >
> >
> >
> >
> >
> > On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann
> > <marcus.haarmann@midoco.de <ma...@midoco.de>> wrote:
> >
> > Hi,
> >
> > I did take a look into the source code of 3.11, but I believe the
> > code is more or less the same.
> > The SSL code makes use of Java SSL Sockets so you can limit the
> > protocols in the "Java way".
> > The java way (at least for a recent Java 8) is to setup the
> > protocols in the <jre>/lib/security/java.security file.
> > Or to define a system property on the command line
> > (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello).
> >
> > There are multiple options for SSL configuration in the config
> > (https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/
> secureSSLNodeToNode.html)
> > The most interesting one in your situation would be the
> > cipher_suites option, which allows you
> > to limit the avaliable cipher suites e.g.
> > to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> > (which is a TLS1.2-only cipher suite).
> >
> > You can check the offered protocols for your server with an open
> > source tool like sslyze (https://github.com/nabla-c0d3/sslyze)
> >
> > Marcus Haarmann
> >
> > ------------------------------------------------------------
> ------------
> > *Von: *"Lou DeGenaro" <lou.degenaro@gmail.com
> > <ma...@gmail.com>>
> > *An: *"user" <user@cassandra.apache.org
> > <ma...@cassandra.apache.org>>
> > *Gesendet: *Dienstag, 24. April 2018 11:21:06
> > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2?
> >
> > Can someone please can tell me how to prevent Cassandra 3.0.9 from
> > using SSLv2? Happy to use a newer version of Cassandra if that's
> > what's required.
> >
> > On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro
> > <lou.degenaro@gmail.com <ma...@gmail.com>> wrote:
> >
> > 3.0.9
> >
> > On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler
> > <michael@pbandjelly.org <ma...@pbandjelly.org>> wrote:
> >
> > On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
> > > Could you be more specific? What does one specify exactly
> to assure
> > > SSLv2 is not used for both client-server and server-server
> > > communications? Example yaml statements would be
> wonderful.
> >
> > The defaults in cassandra.yaml have only TLS specified in
> > the current
> > branch HEADs. I'm pretty sure SSLv2/3 removal was a
> > post-POODLE commit.
> > It's possible you may be on something older - what version
> > are we
> > talking about?
> >
> > --
> > Michael
> >
> > ------------------------------------------------------------
> ---------
> > To unsubscribe, e-mail:
> > user-unsubscribe@cassandra.apache.org
> > <ma...@cassandra.apache.org>
> > For additional commands, e-mail:
> > user-help@cassandra.apache.org
> > <ma...@cassandra.apache.org>
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: user-help@cassandra.apache.org
>
>
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Michael Shuler <mi...@pbandjelly.org>.
Correct!
Thanks for the trace, Lou.
SSLFactory.java:67 specifies a list of protocols, including SSLv2Hello.
"It [IBM JSSE] does not support specifying SSLv2Hello."
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/knowndiffsun.html
Apache Cassandra is tested on Oracle JDK and OpenJDK. Use a supported
version of either of those, and this problem should go away.
Alternatively, do a custom build of Cassandra, if you must run a
little-used JDK?
Also, just for a little additional info, SSLv2Hello != SSLv2, so I do
not believe that there is a worry about some weak protocol here.
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4915862
--
Kind regards,
Michael
On 04/24/2018 11:23 AM, Marcus Haarmann wrote:
> OK, this is IBM JDK. The options might differ. I have been searching for
> Oracle Java options.
> You will need to consult the IBM documentation in this case.
>
> Marcus Haarmann
>
> ------------------------------------------------------------------------
> *Von: *"Lou DeGenaro" <lo...@gmail.com>
> *An: *"user" <us...@cassandra.apache.org>
> *Gesendet: *Dienstag, 24. April 2018 16:08:06
> *Betreff: *Re: How to configure Cassandra to NOT use SSLv2?
>
> Thanks for your suggestions. I tried using the -D shown below:
>
> degenaro@bluej421:/users/degenaro/cassandra/bluej421> ./bin/cassandra
> degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl
> --interleave=all /share/ibm-jdk1.8/bin/java
> -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello
> -Xloggc:./bin/../logs/gc.log -XX:+UseParNewGC
> -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled
> -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1
> -XX:CMSInitiatingOccupancyFraction=75
> -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000...
> ...
> WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by the socket
> Exception (java.lang.IllegalArgumentException) encountered during
> startup: SSLv2Hello is not a recognized protocol.
> java.lang.IllegalArgumentException: SSLv2Hello is not a recognized
> protocol.
> at com.ibm.jsse2.S.a(S.java:112)
> at com.ibm.jsse2.S.b(S.java:136)
> at com.ibm.jsse2.S.<init>(S.java:177)
> at com.ibm.jsse2.as.setEnabledProtocols(as.java:2)
> at
> org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:67)
> at
> org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:514)
> at
> org.apache.cassandra.net.MessagingService.listen(MessagingService.java:498)
> at
> org.apache.cassandra.net.MessagingService.listen(MessagingService.java:482)
> at
> org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:765)
> at
> org.apache.cassandra.service.StorageService.initServer(StorageService.java:654)
> at
> org.apache.cassandra.service.StorageService.initServer(StorageService.java:534)
> at
> org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:344)
> at
> org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:568)
> at
> org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:696)
> ERROR 14:01:09 Exception encountered during startup
> java.lang.IllegalArgumentException: SSLv2Hello is not a recognized
> protocol.
>
>
> Who is at fault: user, Cassandra, JVM, OS?
>
> Thanks.
>
> Lou.
>
>
>
>
>
>
> On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann
> <marcus.haarmann@midoco.de <ma...@midoco.de>> wrote:
>
> Hi,
>
> I did take a look into the source code of 3.11, but I believe the
> code is more or less the same.
> The SSL code makes use of Java SSL Sockets so you can limit the
> protocols in the "Java way".
> The java way (at least for a recent Java 8) is to setup the
> protocols in the <jre>/lib/security/java.security file.
> Or to define a system property on the command line
> (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello).
>
> There are multiple options for SSL configuration in the config
> (https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html)
> The most interesting one in your situation would be the
> cipher_suites option, which allows you
> to limit the avaliable cipher suites e.g.
> to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> (which is a TLS1.2-only cipher suite).
>
> You can check the offered protocols for your server with an open
> source tool like sslyze (https://github.com/nabla-c0d3/sslyze)
>
> Marcus Haarmann
>
> ------------------------------------------------------------------------
> *Von: *"Lou DeGenaro" <lou.degenaro@gmail.com
> <ma...@gmail.com>>
> *An: *"user" <user@cassandra.apache.org
> <ma...@cassandra.apache.org>>
> *Gesendet: *Dienstag, 24. April 2018 11:21:06
> *Betreff: *Re: How to configure Cassandra to NOT use SSLv2?
>
> Can someone please can tell me how to prevent Cassandra 3.0.9 from
> using SSLv2? Happy to use a newer version of Cassandra if that's
> what's required.
>
> On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro
> <lou.degenaro@gmail.com <ma...@gmail.com>> wrote:
>
> 3.0.9
>
> On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler
> <michael@pbandjelly.org <ma...@pbandjelly.org>> wrote:
>
> On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
> > Could you be more specific? What does one specify exactly to assure
> > SSLv2 is not used for both client-server and server-server
> > communications? Example yaml statements would be wonderful.
>
> The defaults in cassandra.yaml have only TLS specified in
> the current
> branch HEADs. I'm pretty sure SSLv2/3 removal was a
> post-POODLE commit.
> It's possible you may be on something older - what version
> are we
> talking about?
>
> --
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> user-unsubscribe@cassandra.apache.org
> <ma...@cassandra.apache.org>
> For additional commands, e-mail:
> user-help@cassandra.apache.org
> <ma...@cassandra.apache.org>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Marcus Haarmann <ma...@midoco.de>.
OK, this is IBM JDK. The options might differ. I have been searching for Oracle Java options.
You will need to consult the IBM documentation in this case.
Marcus Haarmann
Von: "Lou DeGenaro" <lo...@gmail.com>
An: "user" <us...@cassandra.apache.org>
Gesendet: Dienstag, 24. April 2018 16:08:06
Betreff: Re: How to configure Cassandra to NOT use SSLv2?
Thanks for your suggestions. I tried using the -D shown below:
degenaro@bluej421:/users/degenaro/cassandra/bluej421> ./bin/cassandra
degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl --interleave=all /share/ibm-jdk1.8/bin/java -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello -Xloggc:./bin/../logs/gc.log -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000...
...
WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by the socket
Exception (java.lang.IllegalArgumentException) encountered during startup: SSLv2Hello is not a recognized protocol.
java.lang.IllegalArgumentException: SSLv2Hello is not a recognized protocol.
at com.ibm.jsse2.S.a(S.java:112)
at com.ibm.jsse2.S.b(S.java:136)
at com.ibm.jsse2.S.<init>(S.java:177)
at com.ibm.jsse2.as.setEnabledProtocols(as.java:2)
at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:67)
at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:514)
at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:498)
at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:482)
at org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:765)
at org.apache.cassandra.service.StorageService.initServer(StorageService.java:654)
at org.apache.cassandra.service.StorageService.initServer(StorageService.java:534)
at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:344)
at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:568)
at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:696)
ERROR 14:01:09 Exception encountered during startup
java.lang.IllegalArgumentException: SSLv2Hello is not a recognized protocol.
Who is at fault: user, Cassandra, JVM, OS?
Thanks.
Lou.
On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann < [ mailto:marcus.haarmann@midoco.de | marcus.haarmann@midoco.de ] > wrote:
BQ_BEGIN
Hi,
I did take a look into the source code of 3.11, but I believe the code is more or less the same.
The SSL code makes use of Java SSL Sockets so you can limit the protocols in the "Java way".
The java way (at least for a recent Java 8) is to setup the protocols in the <jre>/lib/security/java.security file.
Or to define a system property on the command line (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello).
There are multiple options for SSL configuration in the config
( [ https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html | https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html ] )
The most interesting one in your situation would be the cipher_suites option, which allows you
to limit the avaliable cipher suites e.g. to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
(which is a TLS1.2-only cipher suite).
You can check the offered protocols for your server with an open source tool like sslyze ( [ https://github.com/nabla-c0d3/sslyze | https://github.com/nabla-c0d3/sslyze ] )
Marcus Haarmann
Von: "Lou DeGenaro" < [ mailto:lou.degenaro@gmail.com | lou.degenaro@gmail.com ] >
An: "user" < [ mailto:user@cassandra.apache.org | user@cassandra.apache.org ] >
Gesendet: Dienstag, 24. April 2018 11:21:06
Betreff: Re: How to configure Cassandra to NOT use SSLv2?
Can someone please can tell me how to prevent Cassandra 3.0.9 from using SSLv2? Happy to use a newer version of Cassandra if that's what's required.
On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro < [ mailto:lou.degenaro@gmail.com | lou.degenaro@gmail.com ] > wrote:
BQ_BEGIN
3.0.9
On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler < [ mailto:michael@pbandjelly.org | michael@pbandjelly.org ] > wrote:
BQ_BEGIN
On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
> Could you be more specific? What does one specify exactly to assure
> SSLv2 is not used for both client-server and server-server
> communications? Example yaml statements would be wonderful.
The defaults in cassandra.yaml have only TLS specified in the current
branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit.
It's possible you may be on something older - what version are we
talking about?
--
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: [ mailto:user-unsubscribe@cassandra.apache.org | user-unsubscribe@cassandra.apache.org ]
For additional commands, e-mail: [ mailto:user-help@cassandra.apache.org | user-help@cassandra.apache.org ]
BQ_END
BQ_END
BQ_END
RE: [EXTERNAL] Re: How to configure Cassandra to NOT use SSLv2?
Posted by "Durity, Sean R" <SE...@homedepot.com>.
I think I would start with the JVM. Sometimes, for export purposes, the cryptography extensions (JCE), are in a separate jar or package from the standard JRE or JVM. I haven’t used the IBM JDK, so I don’t know specifically about that one.
Also, perhaps the error is correct – SSLv2Hello is not a parameter that can be passed to the JVM. Maybe remove that option?
Sean Durity
From: Lou DeGenaro [mailto:lou.degenaro@gmail.com]
Sent: Tuesday, April 24, 2018 10:08 AM
To: user@cassandra.apache.org
Subject: [EXTERNAL] Re: How to configure Cassandra to NOT use SSLv2?
Thanks for your suggestions. I tried using the -D shown below:
degenaro@bluej421:/users/degenaro/cassandra/bluej421> ./bin/cassandra
degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl --interleave=all /share/ibm-jdk1.8/bin/java -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello -Xloggc:./bin/../logs/gc.log -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000...
...
WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by the socket
Exception (java.lang.IllegalArgumentException) encountered during startup: SSLv2Hello is not a recognized protocol.
java.lang.IllegalArgumentException: SSLv2Hello is not a recognized protocol.
at com.ibm.jsse2.S.a(S.java:112)
at com.ibm.jsse2.S.b(S.java:136)
at com.ibm.jsse2.S.<init>(S.java:177)
at com.ibm.jsse2.as.setEnabledProtocols(as.java:2)
at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:67)
at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:514)
at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:498)
at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:482)
at org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:765)
at org.apache.cassandra.service.StorageService.initServer(StorageService.java:654)
at org.apache.cassandra.service.StorageService.initServer(StorageService.java:534)
at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:344)
at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:568)
at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:696)
ERROR 14:01:09 Exception encountered during startup
java.lang.IllegalArgumentException: SSLv2Hello is not a recognized protocol.
Who is at fault: user, Cassandra, JVM, OS?
Thanks.
Lou.
On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann <ma...@midoco.de>> wrote:
Hi,
I did take a look into the source code of 3.11, but I believe the code is more or less the same.
The SSL code makes use of Java SSL Sockets so you can limit the protocols in the "Java way".
The java way (at least for a recent Java 8) is to setup the protocols in the <jre>/lib/security/java.security file.
Or to define a system property on the command line (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello).
There are multiple options for SSL configuration in the config
(https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.datastax.com_en_cassandra_3.0_cassandra_configuration_secureSSLNodeToNode.html&d=DwMFaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=aC_gxC6z_4f9GLlbWiKzHm1vucZTtVYWDDvyLkh8IaQ&m=QOoVAZobcmcsEyxj59YWMTj5abPsZ2aj4o5zMmyjCC4&s=0M1rR4ZuSCsqNDLDx_nMHCFHCGeb2ZUy5aneemX5LUM&e=>)
The most interesting one in your situation would be the cipher_suites option, which allows you
to limit the avaliable cipher suites e.g. to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
(which is a TLS1.2-only cipher suite).
You can check the offered protocols for your server with an open source tool like sslyze (https://github.com/nabla-c0d3/sslyze<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_nabla-2Dc0d3_sslyze&d=DwMFaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=aC_gxC6z_4f9GLlbWiKzHm1vucZTtVYWDDvyLkh8IaQ&m=QOoVAZobcmcsEyxj59YWMTj5abPsZ2aj4o5zMmyjCC4&s=n5bKZm63Sfznw2JVjWHu3fQiPz0XI_A4HvxlrQV9bPI&e=>)
Marcus Haarmann
________________________________
Von: "Lou DeGenaro" <lo...@gmail.com>>
An: "user" <us...@cassandra.apache.org>>
Gesendet: Dienstag, 24. April 2018 11:21:06
Betreff: Re: How to configure Cassandra to NOT use SSLv2?
Can someone please can tell me how to prevent Cassandra 3.0.9 from using SSLv2? Happy to use a newer version of Cassandra if that's what's required.
On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro <lo...@gmail.com>> wrote:
3.0.9
On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler <mi...@pbandjelly.org>> wrote:
On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
> Could you be more specific? What does one specify exactly to assure
> SSLv2 is not used for both client-server and server-server
> communications? Example yaml statements would be wonderful.
The defaults in cassandra.yaml have only TLS specified in the current
branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit.
It's possible you may be on something older - what version are we
talking about?
--
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org<ma...@cassandra.apache.org>
For additional commands, e-mail: user-help@cassandra.apache.org<ma...@cassandra.apache.org>
________________________________
The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Lou DeGenaro <lo...@gmail.com>.
Thanks for your suggestions. I tried using the -D shown below:
degenaro@bluej421:/users/degenaro/cassandra/bluej421> ./bin/cassandra
> degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl
> --interleave=all /share/ibm-jdk1.8/bin/java
> -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello -Xloggc:./bin/../logs/gc.log
> -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled
> -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1
> -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly
> -XX:CMSWaitDuration=10000...
> ...
> WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by the socket
> Exception (java.lang.IllegalArgumentException) encountered during startup:
> SSLv2Hello is not a recognized protocol.
> java.lang.IllegalArgumentException: SSLv2Hello is not a recognized
> protocol.
> at com.ibm.jsse2.S.a(S.java:112)
> at com.ibm.jsse2.S.b(S.java:136)
> at com.ibm.jsse2.S.<init>(S.java:177)
> at com.ibm.jsse2.as.setEnabledProtocols(as.java:2)
> at
> org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:67)
> at
> org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:514)
> at
> org.apache.cassandra.net.MessagingService.listen(MessagingService.java:498)
> at
> org.apache.cassandra.net.MessagingService.listen(MessagingService.java:482)
> at
> org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:765)
> at
> org.apache.cassandra.service.StorageService.initServer(StorageService.java:654)
> at
> org.apache.cassandra.service.StorageService.initServer(StorageService.java:534)
> at
> org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:344)
> at
> org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:568)
> at
> org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:696)
> ERROR 14:01:09 Exception encountered during startup
> java.lang.IllegalArgumentException: SSLv2Hello is not a recognized
> protocol.
>
Who is at fault: user, Cassandra, JVM, OS?
Thanks.
Lou.
On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann <ma...@midoco.de>
wrote:
> Hi,
>
> I did take a look into the source code of 3.11, but I believe the code is
> more or less the same.
> The SSL code makes use of Java SSL Sockets so you can limit the protocols
> in the "Java way".
> The java way (at least for a recent Java 8) is to setup the protocols in
> the <jre>/lib/security/java.security file.
> Or to define a system property on the command line (-Dhttps.protocols =
> TLSv1.2,TLSv1.1,SSLv2Hello).
>
> There are multiple options for SSL configuration in the config
> (https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/
> secureSSLNodeToNode.html)
> The most interesting one in your situation would be the cipher_suites
> option, which allows you
> to limit the avaliable cipher suites e.g. to TLS_ECDHE_ECDSA_WITH_AES_
> 256_CBC_SHA384
> (which is a TLS1.2-only cipher suite).
>
> You can check the offered protocols for your server with an open source
> tool like sslyze (https://github.com/nabla-c0d3/sslyze)
>
> Marcus Haarmann
>
> ------------------------------
> *Von: *"Lou DeGenaro" <lo...@gmail.com>
> *An: *"user" <us...@cassandra.apache.org>
> *Gesendet: *Dienstag, 24. April 2018 11:21:06
> *Betreff: *Re: How to configure Cassandra to NOT use SSLv2?
>
> Can someone please can tell me how to prevent Cassandra 3.0.9 from using SSLv2?
> Happy to use a newer version of Cassandra if that's what's required.
>
> On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro <lo...@gmail.com>
> wrote:
>
>> 3.0.9
>>
>> On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler <mi...@pbandjelly.org>
>> wrote:
>>
>>> On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
>>> > Could you be more specific? What does one specify exactly to assure
>>> > SSLv2 is not used for both client-server and server-server
>>> > communications? Example yaml statements would be wonderful.
>>>
>>> The defaults in cassandra.yaml have only TLS specified in the current
>>> branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit.
>>> It's possible you may be on something older - what version are we
>>> talking about?
>>>
>>> --
>>> Michael
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
>>> For additional commands, e-mail: user-help@cassandra.apache.org
>>>
>>>
>>
>
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Marcus Haarmann <ma...@midoco.de>.
Hi,
I did take a look into the source code of 3.11, but I believe the code is more or less the same.
The SSL code makes use of Java SSL Sockets so you can limit the protocols in the "Java way".
The java way (at least for a recent Java 8) is to setup the protocols in the <jre>/lib/security/java.security file.
Or to define a system property on the command line (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello).
There are multiple options for SSL configuration in the config
(https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html)
The most interesting one in your situation would be the cipher_suites option, which allows you
to limit the avaliable cipher suites e.g. to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
(which is a TLS1.2-only cipher suite).
You can check the offered protocols for your server with an open source tool like sslyze (https://github.com/nabla-c0d3/sslyze)
Marcus Haarmann
Von: "Lou DeGenaro" <lo...@gmail.com>
An: "user" <us...@cassandra.apache.org>
Gesendet: Dienstag, 24. April 2018 11:21:06
Betreff: Re: How to configure Cassandra to NOT use SSLv2?
Can someone please can tell me how to prevent Cassandra 3.0.9 from using SSLv2? Happy to use a newer version of Cassandra if that's what's required.
On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro < [ mailto:lou.degenaro@gmail.com | lou.degenaro@gmail.com ] > wrote:
3.0.9
On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler < [ mailto:michael@pbandjelly.org | michael@pbandjelly.org ] > wrote:
BQ_BEGIN
On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
> Could you be more specific? What does one specify exactly to assure
> SSLv2 is not used for both client-server and server-server
> communications? Example yaml statements would be wonderful.
The defaults in cassandra.yaml have only TLS specified in the current
branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit.
It's possible you may be on something older - what version are we
talking about?
--
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: [ mailto:user-unsubscribe@cassandra.apache.org | user-unsubscribe@cassandra.apache.org ]
For additional commands, e-mail: [ mailto:user-help@cassandra.apache.org | user-help@cassandra.apache.org ]
BQ_END
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Lou DeGenaro <lo...@gmail.com>.
Can someone please can tell me how to prevent Cassandra 3.0.9 from
using SSLv2?
Happy to use a newer version of Cassandra if that's what's required.
On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro <lo...@gmail.com>
wrote:
> 3.0.9
>
> On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler <mi...@pbandjelly.org>
> wrote:
>
>> On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
>> > Could you be more specific? What does one specify exactly to assure
>> > SSLv2 is not used for both client-server and server-server
>> > communications? Example yaml statements would be wonderful.
>>
>> The defaults in cassandra.yaml have only TLS specified in the current
>> branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit.
>> It's possible you may be on something older - what version are we
>> talking about?
>>
>> --
>> Michael
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
>> For additional commands, e-mail: user-help@cassandra.apache.org
>>
>>
>
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Lou DeGenaro <lo...@gmail.com>.
3.0.9
On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler <mi...@pbandjelly.org>
wrote:
> On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
> > Could you be more specific? What does one specify exactly to assure
> > SSLv2 is not used for both client-server and server-server
> > communications? Example yaml statements would be wonderful.
>
> The defaults in cassandra.yaml have only TLS specified in the current
> branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit.
> It's possible you may be on something older - what version are we
> talking about?
>
> --
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: user-help@cassandra.apache.org
>
>
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Michael Shuler <mi...@pbandjelly.org>.
On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
> Could you be more specific? What does one specify exactly to assure
> SSLv2 is not used for both client-server and server-server
> communications? Example yaml statements would be wonderful.
The defaults in cassandra.yaml have only TLS specified in the current
branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit.
It's possible you may be on something older - what version are we
talking about?
--
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Lou DeGenaro <lo...@gmail.com>.
Could you be more specific? What does one specify exactly to assure SSLv2
is not used for both client-server and server-server communications?
Example yaml statements would be wonderful.
Your patience with the security neophyte is greatly appreciated.
Lou.
On Fri, Apr 20, 2018 at 9:35 AM, Michael Shuler <mi...@pbandjelly.org>
wrote:
> On 04/20/2018 07:41 AM, Lou DeGenaro wrote:
> > Running Cassandra produces the following error message:
> >
> > "SSLv2Hello is not a recognized protocol"
> >
> > because the JVM being used does not support SSLv2. The JVM does not
> > support SSLv2 because "it's a HUGE security risk."
> >
> > How does one configure Cassandra to *not* use SSLv2?
>
> See the `server_encryption_options:` and `client_encryption_options:`
> sections in conf/cassandra.yaml for the `protocol:` and `cipher_suites:`
> configurations. (Defaults are in comments.)
>
> --
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: user-help@cassandra.apache.org
>
>
Re: How to configure Cassandra to NOT use SSLv2?
Posted by Michael Shuler <mi...@pbandjelly.org>.
On 04/20/2018 07:41 AM, Lou DeGenaro wrote:
> Running Cassandra produces the following error message:
>
> "SSLv2Hello is not a recognized protocol"
>
> because the JVM being used does not support SSLv2. The JVM does not
> support SSLv2 because "it's a HUGE security risk."
>
> How does one configure Cassandra to *not* use SSLv2?
See the `server_encryption_options:` and `client_encryption_options:`
sections in conf/cassandra.yaml for the `protocol:` and `cipher_suites:`
configurations. (Defaults are in comments.)
--
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org