You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "David Capwell (Jira)" <ji...@apache.org> on 2020/08/03 19:20:01 UTC

[jira] [Commented] (CASSANDRA-15980) Improve log messages for socket connection/disconnection

    [ https://issues.apache.org/jira/browse/CASSANDRA-15980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17170371#comment-17170371 ] 

David Capwell commented on CASSANDRA-15980:
-------------------------------------------

LGTM +1

> Improve log messages for socket connection/disconnection
> --------------------------------------------------------
>
>                 Key: CASSANDRA-15980
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15980
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Observability/Logging
>            Reporter: Jon Meredith
>            Assignee: Jon Meredith
>            Priority: Normal
>             Fix For: 4.0-beta
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> Logging for inbound SSL connections can take place before protocol negotiation has taken place and logs a misleading cipher that could cause problems for security auditing.
>   
>   
> {code:java}
> INFO  2020-07-03T13:57:58,380 [Messaging-EventLoop-3-1] org.apache.cassandra.net.InboundConnectionInitiator:242 - connection from peer /1.1.1.1:57899 to /2.2.2.2:7000, protocol = TLSv1.2, cipher suite = SSL_NULL_WITH_NULL_NULL
> {code}
>  
>  Instead Cassandra should log the connection & protocol, then once the cipher has been negotiated log the agreed upon cipher.
>   
>   
>  If the inbound SSL connection does not present a client certificate, Cassandra logs this error, even if the client wasn't required to.
> {code:java}
> ERROR 2020-07-14T11:58:45,925 [Native-Transport-Requests-1] org.apache.cassandra.transport.ServerConnection:140 - Failed to get peer certificates for peer /4.3.2.1:59263
> {code}
>  
>  Logging the absense of verified certificates should be a concern of the SaslNegotiator if it requires it, and not something worth alerting the operator for generally. Downgrade to debug message to make investigation possible if needed.
>   
>   
>  Finally, to help with logging issues related to disconnection, add a log statement when an instance decides it no longer needs to keep a gossip connection open when cleaning up connections in org.apache.cassandra.net.OutboundConnections.UnusedConnectionMonitor#closeUnusedSinceLastRun



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org