[
https://issues.apache.org/jira/browse/CASSANDRA-18778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17758862#comment-17758862
]
Stefan Miklosovic edited comment on CASSANDRA-18778 at 8/25/23 7:43 AM:
------------------------------------------------------------------------
[~andrew.tolbert]
as I am reading that patch ... what about truststores? Should not we apply same
logic there?
I built it all one more time on more recent branches:
[4.1
j11|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3008/workflows/374c4d90-ff16-414f-b1e1-3dd7974bfd22]
[4.1
j8|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3008/workflows/85477c44-162e-4fab-9d17-f0efd7af5fef]
[5.0
j17|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3013/workflows/2bd35adf-87ea-4bf8-88d4-1005c80ce999]
[5.0
j11|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3013/workflows/9d8d83dd-f283-4ec8-a9ff-43f410801ced]
[trunk
j17|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3012/workflows/699cf0d5-fb26-4c76-8e46-48db627aaec6]
[trunk
j11|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3012/workflows/1dfba849-060f-4440-90ef-1349e937d2f2]
was (Author: smiklosovic):
+1 from me too.
I built it all one more time on more recent branches:
[4.1
j11|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3008/workflows/374c4d90-ff16-414f-b1e1-3dd7974bfd22]
[4.1
j8|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3008/workflows/85477c44-162e-4fab-9d17-f0efd7af5fef]
[5.0
j17|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3013/workflows/2bd35adf-87ea-4bf8-88d4-1005c80ce999]
[5.0
j11|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3013/workflows/9d8d83dd-f283-4ec8-a9ff-43f410801ced]
[trunk
j17|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3012/workflows/699cf0d5-fb26-4c76-8e46-48db627aaec6]
[trunk
j11|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3012/workflows/1dfba849-060f-4440-90ef-1349e937d2f2]
> Empty keystore_password no longer allowed on encryption_options
> ---------------------------------------------------------------
>
> Key: CASSANDRA-18778
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18778
> Project: Cassandra
> Issue Type: Bug
> Components: Local/Config
> Reporter: Andy Tolbert
> Assignee: Andy Tolbert
> Priority: Normal
> Fix For: 4.1.x, 5.0.x
>
>
> After CASSANDRA-18124 (introduced in 4.1.2 and 5.0) it is no longer possible
> to set an empty {{keystore_password}} under {{client_encryption_options}} or
> {{server_encryption_options}} using the default implementation
> {{{}DefaultSslContextFactory{}}}.
> While keytool does not allow generating keystores with empty passwords, it
> does support reading them. It is not uncommon to use PKCS12 certificates
> generated by other tools (eg. openssl) that do not enforce passwords.
> The fix for this should be pretty straightforward, which should involve
> changing
> [FileBasedSslContextFactory.validatePassword|https://github.com/apache/cassandra/blob/cassandra-4.1.2/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java#L128-L135]
> to only disallow null passwords (which would be consistent with previous
> versions). I will create pull requests against the relevant branches shortly.
> {noformat}
> Exception (org.apache.cassandra.exceptions.ConfigurationException)
> encountered during startup: Failed to initialize SSL
> org.apache.cassandra.exceptions.ConfigurationException: Failed to initialize
> SSL
> at
> org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1155)
> at
> org.apache.cassandra.config.DatabaseDescriptor.applyAll(DatabaseDescriptor.java:390)
> at
> org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:204)
> at
> org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:188)
> at
> org.apache.cassandra.service.CassandraDaemon.applyConfig(CassandraDaemon.java:804)
> at
> org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:747)
> at
> org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:875)
> Caused by: java.io.IOException: Failed to create SSL context using Native
> transport
> at
> org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:405)
> at
> org.apache.cassandra.config.DatabaseDescriptor.applySslContext(DatabaseDescriptor.java:1150)
> ... 6 more
> Caused by: java.lang.IllegalArgumentException: 'keystore_password' must be
> specified
> at
> org.apache.cassandra.security.FileBasedSslContextFactory.validatePassword(FileBasedSslContextFactory.java:133)
> at
> org.apache.cassandra.security.FileBasedSslContextFactory.buildKeyManagerFactory(FileBasedSslContextFactory.java:151)
> at
> org.apache.cassandra.security.AbstractSslContextFactory.createNettySslContext(AbstractSslContextFactory.java:181)
> at
> org.apache.cassandra.security.SSLFactory.createNettySslContext(SSLFactory.java:168)
> at
> org.apache.cassandra.security.SSLFactory.validateSslContext(SSLFactory.java:355)
> ... 7 more
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
