You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by "Ashwini Mhatre (asmhatre)" <as...@cisco.com> on 2016/07/25 10:45:08 UTC
Issue in internode encryption in cassandra
Hi ,
I am using internode encryption in cassandra, with self signed CA it works fine. but with other product CA m getting this error "Filtering out TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket”
Thank you.
Regards,
Ashwini Mhatre
RE: Issue in internode encryption in cassandra
Posted by Bastien DINE <ba...@coservit.com>.
Hi Ashwini,
On all my nodes, I’m installing the additional jce policy
https://support.datastax.com/hc/en-us/articles/204226129-Receiving-error-Caused-by-java-lang-IllegalArgumentException-Cannot-support-TLS-RSA-WITH-AES-256-CBC-SHA-with-currently-installed-providers-on-DSE-startup-after-setting-up-client-to-node-encryption
Then I’m generating one key / certificate on each of my node, exporting public part and store it in a truststore of other nodes and configure cassandra.yaml
Datastax documentation is pretty clear :
https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html
https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLNodeToNode_t.html
Hope its helps,
Regards,
De : Ashwini Mhatre (asmhatre) [mailto:asmhatre@cisco.com]
Envoyé : mercredi 3 août 2016 12:25
À : user@cassandra.apache.org
Cc : Keshava H P (kehp); PRABHJOT KAUR (prabhkau)
Objet : Re: Issue in internode encryption in cassandra
Hi,
Is any one have any hint regarding node to node encryption .
Regards,
Ashwini Mhatre
From: asmhatre <as...@cisco.com>>
Reply-To: "user@cassandra.apache.org<ma...@cassandra.apache.org>" <us...@cassandra.apache.org>>
Date: Monday, 25 July 2016 at 4:15 PM
To: "user@cassandra.apache.org<ma...@cassandra.apache.org>" <us...@cassandra.apache.org>>
Subject: Issue in internode encryption in cassandra
I am using internode encryption in cassandra, with self signed CA it works fine. but with other product CA m getting this error "Filtering out TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket”
Re: Issue in internode encryption in cassandra
Posted by "Ashwini Mhatre (asmhatre)" <as...@cisco.com>.
Hi,
Is any one have any hint regarding node to node encryption .
Regards,
Ashwini Mhatre
From: asmhatre <as...@cisco.com>>
Reply-To: "user@cassandra.apache.org<ma...@cassandra.apache.org>" <us...@cassandra.apache.org>>
Date: Monday, 25 July 2016 at 4:15 PM
To: "user@cassandra.apache.org<ma...@cassandra.apache.org>" <us...@cassandra.apache.org>>
Subject: Issue in internode encryption in cassandra
I am using internode encryption in cassandra, with self signed CA it works fine. but with other product CA m getting this error "Filtering out TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket”
Re: Issue in internode encryption in cassandra
Posted by Eric Stevens <mi...@gmail.com>.
Those ciphers are not available on Java 6, on the off chance that you're
trying to run Cassandra on that (you'll run into other troubles).
The more likely problem is that I think those ciphers are only available if
you install the Unlimited Strength JCE policy files in your JVM on each
node. Double check that that's available universally in your cluster.
To test you can borrow this code from Atlassian:
https://confluence.atlassian.com/bitbucketserverkb/files/779171661/779171662/1/1414093373406/Ciphers.java
Run this on each machine in your cluster with
javac Ciphers.java
java Ciphers.java
Compare the output to be certain the same ciphers are available everywhere.
On Mon, Jul 25, 2016 at 4:45 AM Ashwini Mhatre (asmhatre) <
asmhatre@cisco.com> wrote:
> Hi ,
>
> I am using internode encryption in cassandra, with self signed CA it works
> fine. but with other product CA m getting this error "Filtering out
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it
> isnt supported by the socket”
>
>
> Thank you.
> Regards,
> Ashwini Mhatre
>
Re: Issue in internode encryption in cassandra
Posted by Nate McCall <na...@thelastpickle.com>.
>
>
> I am using internode encryption in cassandra, with self signed CA it
works fine. but with other product CA m getting this error "Filtering out
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it
isnt supported by the socket”
>
You've specified ECDHE_RSA as the cypher. This is a new-ish cypher based on
elliptic curve cryptography and it may not be available to some
distributions. Run "openssl ciphers ECDH" on the node and the client to
ensure they both support that algorithm (my guess is one or the other
won't).
This article provides an excellent description of ECDH:
https://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#diffie-hellman-with-elliptic-curves
Unless you have a specific requirement, use "TLS_RSA_WITH_AES_256_CBC_SHA."
--
-----------------
Nate McCall
Wellington, NZ
@zznate
CTO
Apache Cassandra Consulting
http://www.thelastpickle.com