You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by jo...@apache.org on 2020/06/21 02:36:35 UTC
[cassandra] branch trunk updated: Update defaults for server and
client TLS settings
This is an automated email from the ASF dual-hosted git repository.
jolynch pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra.git
The following commit(s) were added to refs/heads/trunk by this push:
new 674b6cc Update defaults for server and client TLS settings
674b6cc is described below
commit 674b6cc1a5e905a9c234c649adaad2de79cfa560
Author: Joseph Lynch <jo...@gmail.com>
AuthorDate: Fri Aug 16 18:15:55 2019 -0700
Update defaults for server and client TLS settings
This fixes backwards compatibility with the 3.11 server_encryption_options
while exposing the correct defaults after the 4.0 Netty refactor.
Patch by Joseph Lynch; Reviewed by Ekaterina Dimitrova for CASSANDRA-15262
---
CHANGES.txt | 1 +
conf/cassandra.yaml | 90 ++++++++++++++------
doc/source/operating/security.rst | 2 +-
.../cassandra/config/DatabaseDescriptor.java | 10 +--
.../apache/cassandra/config/EncryptionOptions.java | 95 +++++++++++++++-------
.../apache/cassandra/db/virtual/SettingsTable.java | 2 +-
.../cassandra/net/InboundConnectionInitiator.java | 24 +++---
.../org/apache/cassandra/net/InboundSockets.java | 2 +-
.../org/apache/cassandra/security/SSLFactory.java | 8 +-
.../cassandra/service/NativeTransportService.java | 2 +-
.../org/apache/cassandra/tools/BulkLoader.java | 2 +-
.../org/apache/cassandra/tools/LoaderOptions.java | 2 +-
.../apache/cassandra/transport/SimpleClient.java | 2 +-
.../cassandra/db/virtual/SettingsTableTest.java | 7 +-
.../org/apache/cassandra/net/ConnectionTest.java | 1 -
.../apache/cassandra/net/MessagingServiceTest.java | 19 ++---
.../apache/cassandra/security/SSLFactoryTest.java | 19 ++---
.../cassandra/stress/util/JavaDriverClient.java | 2 +-
18 files changed, 174 insertions(+), 116 deletions(-)
diff --git a/CHANGES.txt b/CHANGES.txt
index 2d66d05..569d74b 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
4.0-alpha5
+ * Update defaults for server and client TLS settings (CASSANDRA-15262)
* Differentiate follower/initator in StreamMessageHeader (CASSANDRA-15665)
* Add a startup check to detect if LZ4 uses java rather than native implementation (CASSANDRA-15884)
* Fix missing topology events when running multiple nodes on the same network interface (CASSANDRA-15677)
diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
index 79f6434..0778628 100644
--- a/conf/cassandra.yaml
+++ b/conf/cassandra.yaml
@@ -1042,61 +1042,99 @@ dynamic_snitch_reset_interval_in_ms: 600000
# until the pinned host was 20% worse than the fastest.
dynamic_snitch_badness_threshold: 0.1
-# Enable or disable inter-node encryption
+# Configure server-to-server internode encryption
+#
# JVM and netty defaults for supported SSL socket protocols and cipher suites can
# be replaced using custom encryption options. This is not recommended
# unless you have policies in place that dictate certain settings, or
# need to disable vulnerable ciphers or protocols in case the JVM cannot
# be updated.
+#
# FIPS compliant settings can be configured at JVM level and should not
# involve changing encryption settings here:
# https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html
#
-# *NOTE* No custom encryption options are enabled at the moment
-# The available internode options are : all, none, dc, rack
-# If set to dc cassandra will encrypt the traffic between the DCs
-# If set to rack cassandra will encrypt the traffic between the racks
-#
-# The passwords used in these options must match the passwords used when generating
-# the keystore and truststore. For instructions on generating these files, see:
+# **NOTE** this default configuration is an insecure configuration. If you need to
+# enable server-to-server encryption generate server keystores (and truststores for mutual
+# authentication) per:
# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
+# Then perform the following configuration changes:
#
+# Step 1: Set internode_encryption=<dc|rack|all> and explicitly set optional=true. Restart all nodes
+#
+# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual
+# auth set require_client_auth=true. Restart all nodes
server_encryption_options:
- # set to true for allowing secure incoming connections
- enabled: false
- # If enabled and optional are both set to true, encrypted and unencrypted connections are handled on the storage_port
- optional: false
- # if enabled, will open up an encrypted listening socket on ssl_storage_port. Should be used
+ # On outbound connections, determine which type of peers to securely connect to.
+ # The available options are :
+ # none : Do not encrypt outgoing connections
+ # dc : Encrypt connections to peers in other datacenters but not within datacenters
+ # rack : Encrypt connections to peers in other racks but not within racks
+ # all : Always use encrypted connections
+ internode_encryption: none
+ # When set to true, encrypted and unencrypted connections are allowed on the storage_port
+ # This should _only be true_ while in unencrypted or transitional operation
+ # optional defaults to true if internode_encryption is none
+ # optional: true
+ # If enabled, will open up an encrypted listening socket on ssl_storage_port. Should only be used
# during upgrade to 4.0; otherwise, set to false.
enable_legacy_ssl_storage_port: false
- # on outbound connections, determine which type of peers to securely connect to. 'enabled' must be set to true.
- internode_encryption: none
+ # Set to a valid keystore if internode_encryption is dc, rack or all
keystore: conf/.keystore
keystore_password: cassandra
+ # Verify peer server certificates
+ require_client_auth: false
+ # Set to a valid trustore if require_client_auth is true
truststore: conf/.truststore
truststore_password: cassandra
- # More advanced defaults below:
+ # Verify that the host name in the certificate matches the connected host
+ require_endpoint_verification: false
+ # More advanced defaults:
# protocol: TLS
# store_type: JKS
- # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
- # require_client_auth: false
- # require_endpoint_verification: false
-
-# enable or disable client-to-server encryption.
+ # cipher_suites: [
+ # TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
+ # TLS_RSA_WITH_AES_256_CBC_SHA
+ # ]
+
+# Configure client-to-server encryption.
+#
+# **NOTE** this default configuration is an insecure configuration. If you need to
+# enable client-to-server encryption generate server keystores (and truststores for mutual
+# authentication) per:
+# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
+# Then perform the following configuration changes:
+#
+# Step 1: Set enabled=true and explicitly set optional=true. Restart all nodes
+#
+# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual
+# auth set require_client_auth=true. Restart all nodes
client_encryption_options:
+ # Enable client-to-server encryption
enabled: false
- # If enabled and optional is set to true encrypted and unencrypted connections are handled.
- optional: false
+ # When set to true, encrypted and unencrypted connections are allowed on the native_transport_port
+ # This should _only be true_ while in unencrypted or transitional operation
+ # optional defaults to true when enabled is false, and false when enabled is true.
+ # optional: true
+ # Set keystore and keystore_password to valid keystores if enabled is true
keystore: conf/.keystore
keystore_password: cassandra
- # require_client_auth: false
+ # Verify client certificates
+ require_client_auth: false
# Set trustore and truststore_password if require_client_auth is true
# truststore: conf/.truststore
# truststore_password: cassandra
- # More advanced defaults below:
+ # More advanced defaults:
# protocol: TLS
# store_type: JKS
- # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
+ # cipher_suites: [
+ # TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
+ # TLS_RSA_WITH_AES_256_CBC_SHA
+ # ]
# internode_compression controls whether traffic between nodes is
# compressed.
diff --git a/doc/source/operating/security.rst b/doc/source/operating/security.rst
index 12f2d24..c945949 100644
--- a/doc/source/operating/security.rst
+++ b/doc/source/operating/security.rst
@@ -54,7 +54,7 @@ cassandra.yaml. See `the java document on FIPS <https://docs.oracle.com/javase/8
for more details.
For information on generating the keystore and truststore files used in SSL communications, see the
-`java documentation on creating keystores <http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore>`__
+`java documentation on creating keystores <https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore>`__
SSL Certificate Hot Reloading
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index a36ac1e..9cc2a3b 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -762,19 +762,11 @@ public class DatabaseDescriptor
// native transport encryption options
if (conf.native_transport_port_ssl != null
&& conf.native_transport_port_ssl != conf.native_transport_port
- && !conf.client_encryption_options.enabled)
+ && !conf.client_encryption_options.isEnabled())
{
throw new ConfigurationException("Encryption must be enabled in client_encryption_options for native_transport_port_ssl", false);
}
- // internode messaging encryption options
- if (conf.server_encryption_options.internode_encryption != InternodeEncryption.none
- && !conf.server_encryption_options.enabled)
- {
- throw new ConfigurationException("Encryption must be enabled in server_encryption_options when using peer-to-peer security. " +
- "server_encryption_options.internode_encryption = " + conf.server_encryption_options.internode_encryption, false);
- }
-
if (conf.max_value_size_in_mb <= 0)
throw new ConfigurationException("max_value_size_in_mb must be positive", false);
else if (conf.max_value_size_in_mb >= 2048)
diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java
index 0a33dcc..8ccf6d2 100644
--- a/src/java/org/apache/cassandra/config/EncryptionOptions.java
+++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java
@@ -37,8 +37,14 @@ public class EncryptionOptions
public final String store_type;
public final boolean require_client_auth;
public final boolean require_endpoint_verification;
- public final boolean enabled;
- public final boolean optional;
+ // ServerEncryptionOptions does not use the enabled flag at all instead using the existing
+ // internode_encryption option. So we force this private and expose through isEnabled
+ // so users of ServerEncryptionOptions can't accidentally use this when they should use isEnabled
+ // Long term we need to refactor ClientEncryptionOptions and ServerEncyrptionOptions to be separate
+ // classes so we can choose appropriate configuration for each.
+ // See CASSANDRA-15262 and CASSANDRA-15146
+ private boolean enabled;
+ public final Boolean optional;
public EncryptionOptions()
{
@@ -53,10 +59,10 @@ public class EncryptionOptions
require_client_auth = false;
require_endpoint_verification = false;
enabled = false;
- optional = false;
+ optional = true;
}
- public EncryptionOptions(String keystore, String keystore_password, String truststore, String truststore_password, List<String> cipher_suites, String protocol, String algorithm, String store_type, boolean require_client_auth, boolean require_endpoint_verification, boolean enabled, boolean optional)
+ public EncryptionOptions(String keystore, String keystore_password, String truststore, String truststore_password, List<String> cipher_suites, String protocol, String algorithm, String store_type, boolean require_client_auth, boolean require_endpoint_verification, boolean enabled, Boolean optional)
{
this.keystore = keystore;
this.keystore_password = keystore_password;
@@ -69,7 +75,14 @@ public class EncryptionOptions
this.require_client_auth = require_client_auth;
this.require_endpoint_verification = require_endpoint_verification;
this.enabled = enabled;
- this.optional = optional;
+ if (optional != null) {
+ this.optional = optional;
+ } else {
+ // If someone is asking for an _insecure_ connection and not explicitly telling us to refuse
+ // encrypted connections we assume they would like to be able to transition to encrypted connections
+ // in the future.
+ this.optional = !enabled;
+ }
}
public EncryptionOptions(EncryptionOptions options)
@@ -85,7 +98,33 @@ public class EncryptionOptions
require_client_auth = options.require_client_auth;
require_endpoint_verification = options.require_endpoint_verification;
enabled = options.enabled;
- optional = options.optional;
+ if (options.optional != null) {
+ optional = options.optional;
+ } else {
+ // If someone is asking for an _insecure_ connection and not explicitly telling us to refuse
+ // encrypted connections we assume they would like to be able to transition to encrypted connections
+ // in the future.
+ optional = !enabled;
+ }
+ }
+
+ /**
+ * Indicates if the channel should be encrypted. Client and Server uses different logic to determine this
+ *
+ * @return if the channel should be encrypted
+ */
+ public boolean isEnabled() {
+ return this.enabled;
+ }
+
+ /**
+ * Sets if encryption should be enabled for this channel. Note that this should only be called by
+ * the configuration parser or tests. It is public only for that purpose, mutating enabled state
+ * is probably a bad idea.
+ * @param enabled
+ */
+ public void setEnabled(boolean enabled) {
+ this.enabled = enabled;
}
public EncryptionOptions withKeyStore(String keystore)
@@ -244,9 +283,10 @@ public class EncryptionOptions
this.internode_encryption = InternodeEncryption.none;
this.enable_legacy_ssl_storage_port = false;
}
- public ServerEncryptionOptions(String keystore, String keystore_password, String truststore, String truststore_password, List<String> cipher_suites, String protocol, String algorithm, String store_type, boolean require_client_auth, boolean require_endpoint_verification, boolean enabled, boolean optional, InternodeEncryption internode_encryption, boolean enable_legacy_ssl_storage_port)
+
+ public ServerEncryptionOptions(String keystore, String keystore_password, String truststore, String truststore_password, List<String> cipher_suites, String protocol, String algorithm, String store_type, boolean require_client_auth, boolean require_endpoint_verification, Boolean optional, InternodeEncryption internode_encryption, boolean enable_legacy_ssl_storage_port)
{
- super(keystore, keystore_password, truststore, truststore_password, cipher_suites, protocol, algorithm, store_type, require_client_auth, require_endpoint_verification, enabled, optional);
+ super(keystore, keystore_password, truststore, truststore_password, cipher_suites, protocol, algorithm, store_type, require_client_auth, require_endpoint_verification, internode_encryption != InternodeEncryption.none, optional);
this.internode_encryption = internode_encryption;
this.enable_legacy_ssl_storage_port = enable_legacy_ssl_storage_port;
}
@@ -258,6 +298,10 @@ public class EncryptionOptions
this.enable_legacy_ssl_storage_port = options.enable_legacy_ssl_storage_port;
}
+ public boolean isEnabled() {
+ return this.internode_encryption != InternodeEncryption.none;
+ }
+
public boolean shouldEncrypt(InetAddressAndPort endpoint)
{
IEndpointSnitch snitch = DatabaseDescriptor.getEndpointSnitch();
@@ -286,105 +330,98 @@ public class EncryptionOptions
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withKeyStorePassword(String keystore_password)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withTrustStore(String truststore)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withTrustStorePassword(String truststore_password)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withCipherSuites(List<String> cipher_suites)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withCipherSuites(String ... cipher_suites)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, ImmutableList.copyOf(cipher_suites),
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withProtocol(String protocol)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withAlgorithm(String algorithm)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withStoreType(String store_type)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withRequireClientAuth(boolean require_client_auth)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withRequireEndpointVerification(boolean require_endpoint_verification)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
- }
-
- public ServerEncryptionOptions withEnabled(boolean enabled)
- {
- return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
- protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withOptional(boolean optional)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withInternodeEncryption(InternodeEncryption internode_encryption)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
public ServerEncryptionOptions withLegacySslStoragePort(boolean enable_legacy_ssl_storage_port)
{
return new ServerEncryptionOptions(keystore, keystore_password, truststore, truststore_password, cipher_suites,
protocol, algorithm, store_type, require_client_auth, require_endpoint_verification,
- enabled, optional, internode_encryption, enable_legacy_ssl_storage_port);
+ optional, internode_encryption, enable_legacy_ssl_storage_port);
}
}
diff --git a/src/java/org/apache/cassandra/db/virtual/SettingsTable.java b/src/java/org/apache/cassandra/db/virtual/SettingsTable.java
index b26a63d..d11f69a 100644
--- a/src/java/org/apache/cassandra/db/virtual/SettingsTable.java
+++ b/src/java/org/apache/cassandra/db/virtual/SettingsTable.java
@@ -160,7 +160,7 @@ final class SettingsTable extends AbstractVirtualTable
Preconditions.checkArgument(EncryptionOptions.class.isAssignableFrom(f.getType()));
EncryptionOptions value = (EncryptionOptions) getValue(f);
- result.row(f.getName() + "_enabled").column(VALUE, Boolean.toString(value.enabled));
+ result.row(f.getName() + "_enabled").column(VALUE, Boolean.toString(value.isEnabled()));
result.row(f.getName() + "_algorithm").column(VALUE, value.algorithm);
result.row(f.getName() + "_protocol").column(VALUE, value.protocol);
result.row(f.getName() + "_cipher_suites").column(VALUE, value.cipher_suites.toString());
diff --git a/src/java/org/apache/cassandra/net/InboundConnectionInitiator.java b/src/java/org/apache/cassandra/net/InboundConnectionInitiator.java
index 3c1498b..4ad3d8c 100644
--- a/src/java/org/apache/cassandra/net/InboundConnectionInitiator.java
+++ b/src/java/org/apache/cassandra/net/InboundConnectionInitiator.java
@@ -97,20 +97,18 @@ public class InboundConnectionInitiator
pipelineInjector.accept(pipeline);
// order of handlers: ssl -> logger -> handshakeHandler
- if (settings.encryption.enabled)
+ // For either unencrypted or transitional modes, allow Ssl optionally.
+ if (settings.encryption.optional)
{
- if (settings.encryption.optional)
- {
- pipeline.addFirst("ssl", new OptionalSslHandler(settings.encryption));
- }
- else
- {
- SslContext sslContext = SSLFactory.getOrCreateSslContext(settings.encryption, true, SSLFactory.SocketType.SERVER);
- InetSocketAddress peer = settings.encryption.require_endpoint_verification ? channel.remoteAddress() : null;
- SslHandler sslHandler = newSslHandler(channel, sslContext, peer);
- logger.trace("creating inbound netty SslContext: context={}, engine={}", sslContext.getClass().getName(), sslHandler.engine().getClass().getName());
- pipeline.addFirst("ssl", sslHandler);
- }
+ pipeline.addFirst("ssl", new OptionalSslHandler(settings.encryption));
+ }
+ else
+ {
+ SslContext sslContext = SSLFactory.getOrCreateSslContext(settings.encryption, true, SSLFactory.SocketType.SERVER);
+ InetSocketAddress peer = settings.encryption.require_endpoint_verification ? channel.remoteAddress() : null;
+ SslHandler sslHandler = newSslHandler(channel, sslContext, peer);
+ logger.trace("creating inbound netty SslContext: context={}, engine={}", sslContext.getClass().getName(), sslHandler.engine().getClass().getName());
+ pipeline.addFirst("ssl", sslHandler);
}
if (WIRETRACE)
diff --git a/src/java/org/apache/cassandra/net/InboundSockets.java b/src/java/org/apache/cassandra/net/InboundSockets.java
index eb9ef8e..6fc5f52 100644
--- a/src/java/org/apache/cassandra/net/InboundSockets.java
+++ b/src/java/org/apache/cassandra/net/InboundSockets.java
@@ -190,7 +190,7 @@ class InboundSockets
InboundConnectionSettings settings = template.withDefaults();
InboundConnectionSettings legacySettings = template.withLegacyDefaults();
- if (settings.encryption.enable_legacy_ssl_storage_port && settings.encryption.enabled)
+ if (settings.encryption.enable_legacy_ssl_storage_port)
{
out.add(new InboundSocket(legacySettings));
diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java
index f6bbcd0..e51ce46 100644
--- a/src/java/org/apache/cassandra/security/SSLFactory.java
+++ b/src/java/org/apache/cassandra/security/SSLFactory.java
@@ -370,13 +370,13 @@ public final class SSLFactory
List<HotReloadableFile> fileList = new ArrayList<>();
- if (serverOpts != null && serverOpts.enabled)
+ if (serverOpts != null && serverOpts.isEnabled())
{
fileList.add(new HotReloadableFile(serverOpts.keystore));
fileList.add(new HotReloadableFile(serverOpts.truststore));
}
- if (clientOpts != null && clientOpts.enabled)
+ if (clientOpts != null && clientOpts.isEnabled())
{
fileList.add(new HotReloadableFile(clientOpts.keystore));
fileList.add(new HotReloadableFile(clientOpts.truststore));
@@ -406,7 +406,7 @@ public final class SSLFactory
try
{
// Ensure we're able to create both server & client SslContexts
- if (serverOpts != null && serverOpts.enabled)
+ if (serverOpts != null && serverOpts.isEnabled())
{
createNettySslContext(serverOpts, true, SocketType.SERVER, openSslIsAvailable());
createNettySslContext(serverOpts, true, SocketType.CLIENT, openSslIsAvailable());
@@ -420,7 +420,7 @@ public final class SSLFactory
try
{
// Ensure we're able to create both server & client SslContexts
- if (clientOpts != null && clientOpts.enabled)
+ if (clientOpts != null && clientOpts.isEnabled())
{
createNettySslContext(clientOpts, clientOpts.require_client_auth, SocketType.SERVER, openSslIsAvailable());
createNettySslContext(clientOpts, clientOpts.require_client_auth, SocketType.CLIENT, openSslIsAvailable());
diff --git a/src/java/org/apache/cassandra/service/NativeTransportService.java b/src/java/org/apache/cassandra/service/NativeTransportService.java
index 66b5000..6cdce3f 100644
--- a/src/java/org/apache/cassandra/service/NativeTransportService.java
+++ b/src/java/org/apache/cassandra/service/NativeTransportService.java
@@ -79,7 +79,7 @@ public class NativeTransportService
.withEventLoopGroup(workerGroup)
.withHost(nativeAddr);
- if (!DatabaseDescriptor.getNativeProtocolEncryptionOptions().enabled)
+ if (!DatabaseDescriptor.getNativeProtocolEncryptionOptions().isEnabled())
{
servers = Collections.singleton(builder.withSSL(false).withPort(nativePort).build());
}
diff --git a/src/java/org/apache/cassandra/tools/BulkLoader.java b/src/java/org/apache/cassandra/tools/BulkLoader.java
index 07b534c..c08881b 100644
--- a/src/java/org/apache/cassandra/tools/BulkLoader.java
+++ b/src/java/org/apache/cassandra/tools/BulkLoader.java
@@ -246,7 +246,7 @@ public class BulkLoader
private static SSLOptions buildSSLOptions(EncryptionOptions clientEncryptionOptions)
{
- if (!clientEncryptionOptions.enabled)
+ if (!clientEncryptionOptions.isEnabled())
{
return null;
}
diff --git a/src/java/org/apache/cassandra/tools/LoaderOptions.java b/src/java/org/apache/cassandra/tools/LoaderOptions.java
index 1801941..686c834 100644
--- a/src/java/org/apache/cassandra/tools/LoaderOptions.java
+++ b/src/java/org/apache/cassandra/tools/LoaderOptions.java
@@ -464,7 +464,7 @@ public class LoaderOptions
}
else
{
- if (config.native_transport_port_ssl != null && (config.client_encryption_options.enabled || clientEncOptions.enabled))
+ if (config.native_transport_port_ssl != null && (config.client_encryption_options.isEnabled() || clientEncOptions.isEnabled()))
nativePort = config.native_transport_port_ssl;
else
nativePort = config.native_transport_port;
diff --git a/src/java/org/apache/cassandra/transport/SimpleClient.java b/src/java/org/apache/cassandra/transport/SimpleClient.java
index 6340b69..ef3c1db 100644
--- a/src/java/org/apache/cassandra/transport/SimpleClient.java
+++ b/src/java/org/apache/cassandra/transport/SimpleClient.java
@@ -168,7 +168,7 @@ public class SimpleClient implements Closeable
.option(ChannelOption.TCP_NODELAY, true);
// Configure the pipeline factory.
- if(encryptionOptions.enabled)
+ if(encryptionOptions.isEnabled())
{
bootstrap.handler(new SecureInitializer());
}
diff --git a/test/unit/org/apache/cassandra/db/virtual/SettingsTableTest.java b/test/unit/org/apache/cassandra/db/virtual/SettingsTableTest.java
index de5f514..7a27282 100644
--- a/test/unit/org/apache/cassandra/db/virtual/SettingsTableTest.java
+++ b/test/unit/org/apache/cassandra/db/virtual/SettingsTableTest.java
@@ -137,9 +137,7 @@ public class SettingsTableTest extends CQLTester
String all = "SELECT * FROM vts.settings WHERE " +
"name > 'server_encryption' AND name < 'server_encryptionz' ALLOW FILTERING";
- config.server_encryption_options = config.server_encryption_options.withEnabled(true);
Assert.assertEquals(9, executeNet(all).all().size());
- check(pre + "enabled", "true");
check(pre + "algorithm", null);
config.server_encryption_options = config.server_encryption_options.withAlgorithm("SUPERSSL");
@@ -153,9 +151,9 @@ public class SettingsTableTest extends CQLTester
config.server_encryption_options = config.server_encryption_options.withProtocol("TLSv5");
check(pre + "protocol", "TLSv5");
- check(pre + "optional", "false");
- config.server_encryption_options = config.server_encryption_options.withOptional(true);
check(pre + "optional", "true");
+ config.server_encryption_options = config.server_encryption_options.withOptional(false);
+ check(pre + "optional", "false");
check(pre + "client_auth", "false");
config.server_encryption_options = config.server_encryption_options.withRequireClientAuth(true);
@@ -168,6 +166,7 @@ public class SettingsTableTest extends CQLTester
check(pre + "internode_encryption", "none");
config.server_encryption_options = config.server_encryption_options.withInternodeEncryption(InternodeEncryption.all);
check(pre + "internode_encryption", "all");
+ check(pre + "enabled", "true");
check(pre + "legacy_ssl_storage_port", "false");
config.server_encryption_options = config.server_encryption_options.withLegacySslStoragePort(true);
diff --git a/test/unit/org/apache/cassandra/net/ConnectionTest.java b/test/unit/org/apache/cassandra/net/ConnectionTest.java
index c8dc369..eb8d867 100644
--- a/test/unit/org/apache/cassandra/net/ConnectionTest.java
+++ b/test/unit/org/apache/cassandra/net/ConnectionTest.java
@@ -179,7 +179,6 @@ public class ConnectionTest
static final EncryptionOptions.ServerEncryptionOptions encryptionOptions =
new EncryptionOptions.ServerEncryptionOptions()
- .withEnabled(true)
.withLegacySslStoragePort(true)
.withOptional(true)
.withInternodeEncryption(EncryptionOptions.ServerEncryptionOptions.InternodeEncryption.all)
diff --git a/test/unit/org/apache/cassandra/net/MessagingServiceTest.java b/test/unit/org/apache/cassandra/net/MessagingServiceTest.java
index 9a1f07f..9ce041b 100644
--- a/test/unit/org/apache/cassandra/net/MessagingServiceTest.java
+++ b/test/unit/org/apache/cassandra/net/MessagingServiceTest.java
@@ -45,7 +45,6 @@ import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.config.EncryptionOptions.ServerEncryptionOptions;
import org.apache.cassandra.db.commitlog.CommitLog;
import org.apache.cassandra.metrics.MessagingMetrics;
-import org.apache.cassandra.utils.ApproximateTime;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.locator.InetAddressAndPort;
import org.apache.cassandra.utils.FBUtilities;
@@ -449,7 +448,7 @@ public class MessagingServiceTest
public void listenPlainConnection() throws InterruptedException
{
ServerEncryptionOptions serverEncryptionOptions = new ServerEncryptionOptions()
- .withEnabled(false);
+ .withInternodeEncryption(ServerEncryptionOptions.InternodeEncryption.none);
listen(serverEncryptionOptions, false);
}
@@ -457,7 +456,7 @@ public class MessagingServiceTest
public void listenPlainConnectionWithBroadcastAddr() throws InterruptedException
{
ServerEncryptionOptions serverEncryptionOptions = new ServerEncryptionOptions()
- .withEnabled(false);
+ .withInternodeEncryption(ServerEncryptionOptions.InternodeEncryption.none);
listen(serverEncryptionOptions, true);
}
@@ -465,8 +464,8 @@ public class MessagingServiceTest
public void listenRequiredSecureConnection() throws InterruptedException
{
ServerEncryptionOptions serverEncryptionOptions = new ServerEncryptionOptions()
- .withEnabled(true)
.withOptional(false)
+ .withInternodeEncryption(ServerEncryptionOptions.InternodeEncryption.all)
.withLegacySslStoragePort(false);
listen(serverEncryptionOptions, false);
}
@@ -475,8 +474,8 @@ public class MessagingServiceTest
public void listenRequiredSecureConnectionWithBroadcastAddr() throws InterruptedException
{
ServerEncryptionOptions serverEncryptionOptions = new ServerEncryptionOptions()
- .withEnabled(true)
.withOptional(false)
+ .withInternodeEncryption(ServerEncryptionOptions.InternodeEncryption.all)
.withLegacySslStoragePort(false);
listen(serverEncryptionOptions, true);
}
@@ -485,7 +484,7 @@ public class MessagingServiceTest
public void listenRequiredSecureConnectionWithLegacyPort() throws InterruptedException
{
ServerEncryptionOptions serverEncryptionOptions = new ServerEncryptionOptions()
- .withEnabled(true)
+ .withInternodeEncryption(ServerEncryptionOptions.InternodeEncryption.all)
.withOptional(false)
.withLegacySslStoragePort(true);
listen(serverEncryptionOptions, false);
@@ -495,7 +494,7 @@ public class MessagingServiceTest
public void listenRequiredSecureConnectionWithBroadcastAddrAndLegacyPort() throws InterruptedException
{
ServerEncryptionOptions serverEncryptionOptions = new ServerEncryptionOptions()
- .withEnabled(true)
+ .withInternodeEncryption(ServerEncryptionOptions.InternodeEncryption.all)
.withOptional(false)
.withLegacySslStoragePort(true);
listen(serverEncryptionOptions, true);
@@ -505,7 +504,6 @@ public class MessagingServiceTest
public void listenOptionalSecureConnection() throws InterruptedException
{
ServerEncryptionOptions serverEncryptionOptions = new ServerEncryptionOptions()
- .withEnabled(true)
.withOptional(true);
listen(serverEncryptionOptions, false);
}
@@ -514,7 +512,6 @@ public class MessagingServiceTest
public void listenOptionalSecureConnectionWithBroadcastAddr() throws InterruptedException
{
ServerEncryptionOptions serverEncryptionOptions = new ServerEncryptionOptions()
- .withEnabled(true)
.withOptional(true);
listen(serverEncryptionOptions, true);
}
@@ -554,9 +551,9 @@ public class MessagingServiceTest
final int legacySslPort = DatabaseDescriptor.getSSLStoragePort();
for (InboundSockets.InboundSocket socket : connections.sockets())
{
- Assert.assertEquals(serverEncryptionOptions.enabled, socket.settings.encryption.enabled);
+ Assert.assertEquals(serverEncryptionOptions.isEnabled(), socket.settings.encryption.isEnabled());
Assert.assertEquals(serverEncryptionOptions.optional, socket.settings.encryption.optional);
- if (!serverEncryptionOptions.enabled)
+ if (!serverEncryptionOptions.isEnabled())
Assert.assertFalse(legacySslPort == socket.settings.bindAddress.port);
if (legacySslPort == socket.settings.bindAddress.port)
Assert.assertFalse(socket.settings.encryption.optional);
diff --git a/test/unit/org/apache/cassandra/security/SSLFactoryTest.java b/test/unit/org/apache/cassandra/security/SSLFactoryTest.java
index d2e85b2..307a276 100644
--- a/test/unit/org/apache/cassandra/security/SSLFactoryTest.java
+++ b/test/unit/org/apache/cassandra/security/SSLFactoryTest.java
@@ -165,10 +165,10 @@ public class SSLFactoryTest
{
try
{
- EncryptionOptions options = addKeystoreOptions(encryptionOptions)
- .withEnabled(true);
+ ServerEncryptionOptions options = addKeystoreOptions(encryptionOptions)
+ .withInternodeEncryption(ServerEncryptionOptions.InternodeEncryption.all);
- SSLFactory.initHotReloading((ServerEncryptionOptions) options, options, true);
+ SSLFactory.initHotReloading(options, options, true);
SslContext oldCtx = SSLFactory.getOrCreateSslContext(options, true, SSLFactory.SocketType.CLIENT, OpenSsl
.isAvailable());
@@ -197,11 +197,11 @@ public class SSLFactoryTest
@Test(expected = IOException.class)
public void testSslFactorySslInit_BadPassword_ThrowsException() throws IOException
{
- EncryptionOptions options = addKeystoreOptions(encryptionOptions)
+ ServerEncryptionOptions options = addKeystoreOptions(encryptionOptions)
.withKeyStorePassword("bad password")
- .withEnabled(true);
+ .withInternodeEncryption(ServerEncryptionOptions.InternodeEncryption.all);
- SSLFactory.initHotReloading((ServerEncryptionOptions) options, options, true);
+ SSLFactory.initHotReloading(options, options, true);
}
@Test
@@ -209,8 +209,7 @@ public class SSLFactoryTest
{
try
{
- ServerEncryptionOptions options = addKeystoreOptions(encryptionOptions)
- .withEnabled(true);
+ ServerEncryptionOptions options = addKeystoreOptions(encryptionOptions);
SSLFactory.initHotReloading(options, options, true);
SslContext oldCtx = SSLFactory.getOrCreateSslContext(options, true, SSLFactory.SocketType.CLIENT, OpenSsl
@@ -243,9 +242,7 @@ public class SSLFactoryTest
File testKeystoreFile = new File(options.keystore + ".test");
FileUtils.copyFile(new File(options.keystore),testKeystoreFile);
- options = options
- .withKeyStore(testKeystoreFile.getPath())
- .withEnabled(true);
+ options = options.withKeyStore(testKeystoreFile.getPath());
SSLFactory.initHotReloading(options, options, true);
diff --git a/tools/stress/src/org/apache/cassandra/stress/util/JavaDriverClient.java b/tools/stress/src/org/apache/cassandra/stress/util/JavaDriverClient.java
index 72487dc..643e58f 100644
--- a/tools/stress/src/org/apache/cassandra/stress/util/JavaDriverClient.java
+++ b/tools/stress/src/org/apache/cassandra/stress/util/JavaDriverClient.java
@@ -138,7 +138,7 @@ public class JavaDriverClient
if (loadBalancingPolicy != null)
clusterBuilder.withLoadBalancingPolicy(loadBalancingPolicy);
clusterBuilder.withCompression(compression);
- if (encryptionOptions.enabled)
+ if (encryptionOptions.isEnabled())
{
SSLContext sslContext;
sslContext = SSLFactory.createSSLContext(encryptionOptions, true);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org