Thanks for your suggestions. I tried using the -D shown below: degenaro@bluej421:/users/degenaro/cassandra/bluej421> ./bin/cassandra > degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl > --interleave=all /share/ibm-jdk1.8/bin/java > -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello -Xloggc:./bin/../logs/gc.log > -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled > -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 > -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly > -XX:CMSWaitDuration=10000... > ... > WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by the socket > Exception (java.lang.IllegalArgumentException) encountered during startup: > SSLv2Hello is not a recognized protocol. > java.lang.IllegalArgumentException: SSLv2Hello is not a recognized > protocol. > at com.ibm.jsse2.S.a(S.java:112) > at com.ibm.jsse2.S.b(S.java:136) > at com.ibm.jsse2.S.<init>(S.java:177) > at com.ibm.jsse2.as.setEnabledProtocols(as.java:2) > at > org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:67) > at > org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:514) > at > org.apache.cassandra.net.MessagingService.listen(MessagingService.java:498) > at > org.apache.cassandra.net.MessagingService.listen(MessagingService.java:482) > at > org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:765) > at > org.apache.cassandra.service.StorageService.initServer(StorageService.java:654) > at > org.apache.cassandra.service.StorageService.initServer(StorageService.java:534) > at > org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:344) > at > org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:568) > at > org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:696) > ERROR 14:01:09 Exception encountered during startup > java.lang.IllegalArgumentException: SSLv2Hello is not a recognized > protocol. >
Who is at fault: user, Cassandra, JVM, OS? Thanks. Lou. On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann <marcus.haarm...@midoco.de> wrote: > Hi, > > I did take a look into the source code of 3.11, but I believe the code is > more or less the same. > The SSL code makes use of Java SSL Sockets so you can limit the protocols > in the "Java way". > The java way (at least for a recent Java 8) is to setup the protocols in > the <jre>/lib/security/java.security file. > Or to define a system property on the command line (-Dhttps.protocols = > TLSv1.2,TLSv1.1,SSLv2Hello). > > There are multiple options for SSL configuration in the config > (https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/ > secureSSLNodeToNode.html) > The most interesting one in your situation would be the cipher_suites > option, which allows you > to limit the avaliable cipher suites e.g. to TLS_ECDHE_ECDSA_WITH_AES_ > 256_CBC_SHA384 > (which is a TLS1.2-only cipher suite). > > You can check the offered protocols for your server with an open source > tool like sslyze (https://github.com/nabla-c0d3/sslyze) > > Marcus Haarmann > > ------------------------------ > *Von: *"Lou DeGenaro" <lou.degen...@gmail.com> > *An: *"user" <user@cassandra.apache.org> > *Gesendet: *Dienstag, 24. April 2018 11:21:06 > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2? > > Can someone please can tell me how to prevent Cassandra 3.0.9 from using > SSLv2? > Happy to use a newer version of Cassandra if that's what's required. > > On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro <lou.degen...@gmail.com> > wrote: > >> 3.0.9 >> >> On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler <mich...@pbandjelly.org> >> wrote: >> >>> On 04/20/2018 08:46 AM, Lou DeGenaro wrote: >>> > Could you be more specific? What does one specify exactly to assure >>> > SSLv2 is not used for both client-server and server-server >>> > communications? Example yaml statements would be wonderful. >>> >>> The defaults in cassandra.yaml have only TLS specified in the current >>> branch HEADs. I'm pretty sure SSLv2/3 removal was a post-POODLE commit. >>> It's possible you may be on something older - what version are we >>> talking about? >>> >>> -- >>> Michael >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org >>> For additional commands, e-mail: user-h...@cassandra.apache.org >>> >>> >> >
