You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "David Capwell (Jira)" <ji...@apache.org> on 2020/12/02 03:06:00 UTC

[jira] [Commented] (CASSANDRA-13325) Bring back the accepted encryption protocols list as configurable option

    [ https://issues.apache.org/jira/browse/CASSANDRA-13325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17242011#comment-17242011 ] 

David Capwell commented on CASSANDRA-13325:
-------------------------------------------

Left comments in GH, mostly LGTM.  The only real comment I had was about ref counting the ssl engine, so think this can be +1ed tomorrow once addressed.

> Bring back the accepted encryption protocols list as configurable option
> ------------------------------------------------------------------------
>
>                 Key: CASSANDRA-13325
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13325
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Local/Config
>            Reporter: Nachiket Patil
>            Assignee: Jon Meredith
>            Priority: Low
>             Fix For: 4.0-beta
>
>         Attachments: trunk.diff
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> With CASSANDRA-10508, the hard coded list of accepted encryption protocols was eliminated. For some use cases, it is necessary to restrict the encryption protocols used for communication between client and server. Default JVM way of negotiations allows the best encryption protocol that client can use. 
> e.g. I have set Cassandra to use encryption. Ideally client and server negotiate to use best protocol (TLSv1.2). But a malicious client might force TLSv1.0 which is susceptible to POODLE attacks.
> At the moment only way to restrict the encryption protocol is using the {{jdk.tls.client.protocols}} systems property. If I dont have enough access to modify this property, I dont have any way of restricting the encryption protocols.
> I am proposing bring back the accepted_protocols property but make it configurable. If not specified, let the JVM take care of the TLS negotiations.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org