You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by "Durity, Sean R" <SE...@homedepot.com> on 2018/04/24 15:10:19 UTC

RE: [EXTERNAL] Re: How to configure Cassandra to NOT use SSLv2?

I think I would start with the JVM. Sometimes, for export purposes, the cryptography extensions (JCE), are in a separate jar or package from the standard JRE or JVM. I haven’t used the IBM JDK, so I don’t know specifically about that one.

Also, perhaps the error is correct – SSLv2Hello is not a parameter that can be passed to the JVM. Maybe remove that option?


Sean Durity

From: Lou DeGenaro [mailto:lou.degenaro@gmail.com]
Sent: Tuesday, April 24, 2018 10:08 AM
To: user@cassandra.apache.org
Subject: [EXTERNAL] Re: How to configure Cassandra to NOT use SSLv2?

Thanks for your suggestions.  I tried using the -D shown below:
degenaro@bluej421:/users/degenaro/cassandra/bluej421> ./bin/cassandra
degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl --interleave=all /share/ibm-jdk1.8/bin/java -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello -Xloggc:./bin/../logs/gc.log -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000...
...
WARN  14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by the socket
Exception (java.lang.IllegalArgumentException) encountered during startup: SSLv2Hello is not a recognized protocol.
java.lang.IllegalArgumentException: SSLv2Hello is not a recognized protocol.
    at com.ibm.jsse2.S.a(S.java:112)
    at com.ibm.jsse2.S.b(S.java:136)
    at com.ibm.jsse2.S.<init>(S.java:177)
    at com.ibm.jsse2.as.setEnabledProtocols(as.java:2)
    at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:67)
    at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:514)
    at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:498)
    at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:482)
    at org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:765)
    at org.apache.cassandra.service.StorageService.initServer(StorageService.java:654)
    at org.apache.cassandra.service.StorageService.initServer(StorageService.java:534)
    at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:344)
    at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:568)
    at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:696)
ERROR 14:01:09 Exception encountered during startup
java.lang.IllegalArgumentException: SSLv2Hello is not a recognized protocol.

Who is at fault: user, Cassandra, JVM, OS?
Thanks.
Lou.





On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann <ma...@midoco.de>> wrote:
Hi,

I did take a look into the source code of 3.11, but I believe the code is more or less the same.
The SSL code makes use of Java SSL Sockets so you can limit the protocols in the "Java way".
The java way (at least for a recent Java 8) is to setup the protocols in the <jre>/lib/security/java.security file.
Or to define a system property on the command line (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello).

There are multiple options for SSL configuration in the config
(https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.datastax.com_en_cassandra_3.0_cassandra_configuration_secureSSLNodeToNode.html&d=DwMFaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=aC_gxC6z_4f9GLlbWiKzHm1vucZTtVYWDDvyLkh8IaQ&m=QOoVAZobcmcsEyxj59YWMTj5abPsZ2aj4o5zMmyjCC4&s=0M1rR4ZuSCsqNDLDx_nMHCFHCGeb2ZUy5aneemX5LUM&e=>)
The most interesting one in your situation would be the cipher_suites option, which allows you
to limit the avaliable cipher suites e.g. to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
(which is a TLS1.2-only cipher suite).

You can check the offered protocols for your server with an open source tool like sslyze (https://github.com/nabla-c0d3/sslyze<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_nabla-2Dc0d3_sslyze&d=DwMFaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=aC_gxC6z_4f9GLlbWiKzHm1vucZTtVYWDDvyLkh8IaQ&m=QOoVAZobcmcsEyxj59YWMTj5abPsZ2aj4o5zMmyjCC4&s=n5bKZm63Sfznw2JVjWHu3fQiPz0XI_A4HvxlrQV9bPI&e=>)

Marcus Haarmann

________________________________
Von: "Lou DeGenaro" <lo...@gmail.com>>
An: "user" <us...@cassandra.apache.org>>
Gesendet: Dienstag, 24. April 2018 11:21:06
Betreff: Re: How to configure Cassandra to NOT use SSLv2?

Can someone please can tell me how to prevent Cassandra 3.0.9 from using SSLv2?  Happy to use a newer version of Cassandra if that's what's required.

On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro <lo...@gmail.com>> wrote:
3.0.9

On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler <mi...@pbandjelly.org>> wrote:
On 04/20/2018 08:46 AM, Lou DeGenaro wrote:
> Could you be more specific?  What does one specify exactly to assure
> SSLv2 is not used for both client-server and server-server
> communications?  Example yaml statements would be wonderful.

The defaults in cassandra.yaml have only TLS specified in the current
branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit.
It's possible you may be on something older - what version are we
talking about?

--
Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org<ma...@cassandra.apache.org>
For additional commands, e-mail: user-help@cassandra.apache.org<ma...@cassandra.apache.org>




________________________________

The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.