Andy Tolbert created CASSANDRA-18778:
----------------------------------------
Summary: Empty keystore_password no longer allowed on
encryption_options
Key: CASSANDRA-18778
URL: https://issues.apache.org/jira/browse/CASSANDRA-18778
Project: Cassandra
Issue Type: Bug
Components: Local/Config
Reporter: Andy Tolbert
Assignee: Andy Tolbert
After CASSANDRA-18124 (introduced in 4.1.2 and 5.0) it is no longer possible to
set an empty {{keystore_password}} under {{client_encryption_options}} or
{{server_encryption_options}} using the default implementation
{{{}DefaultSslContextFactory{}}}.
While keytool does not allow generating keystores with empty passwords, it does
support reading them. It is not uncommon to use PKCS12 certificates generated
by other tools (eg. openssl) that do not enforce passwords.
The fix for this should be pretty straightforward, which should involve
changing
[FileBasedSslContextFactory.validatePassword|https://github.com/apache/cassandra/blob/cassandra-4.1.2/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java#L128-L135]
to only disallow null passwords (which would be consistent with previous
versions). I will create pull requests against the relevant branches shortly.
{noformat}
Exception (org.apache.cassandra.exceptions.ConfigurationException) encountered
during startup: Failed to initialize SSL
org.apache.cassandra.exceptions.ConfigurationException: Failed to initialize SSL
at
org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1155)
at
org.apache.cassandra.config.DatabaseDescriptor.applyAll(DatabaseDescriptor.java:390)
at
org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:204)
at
org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:188)
at
org.apache.cassandra.service.CassandraDaemon.applyConfig(CassandraDaemon.java:804)
at
org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:747)
at
org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:875)
Caused by: java.io.IOException: Failed to create SSL context using Native
transport
at
org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:405)
at
org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1150)
... 6 more
Caused by: java.lang.IllegalArgumentException: 'keystore_password' must be
specified
at
org.apache.cassandra.security.FileBasedSslContextFactory.validatePassword(FileBasedSslContextFactory.java:133)
at
org.apache.cassandra.security.FileBasedSslContextFactory.buildKeyManagerFactory(FileBasedSslContextFactory.java:151)
at
org.apache.cassandra.security.AbstractSslContextFactory.createNettySslContext(AbstractSslContextFactory.java:181)
at
org.apache.cassandra.security.SSLFactory.createNettySslContext(SSLFactory.java:168)
at
org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:355)
... 7 more
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
