Correct! Thanks for the trace, Lou.
SSLFactory.java:67 specifies a list of protocols, including SSLv2Hello. "It [IBM JSSE] does not support specifying SSLv2Hello." https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/knowndiffsun.html Apache Cassandra is tested on Oracle JDK and OpenJDK. Use a supported version of either of those, and this problem should go away. Alternatively, do a custom build of Cassandra, if you must run a little-used JDK? Also, just for a little additional info, SSLv2Hello != SSLv2, so I do not believe that there is a worry about some weak protocol here. https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4915862 -- Kind regards, Michael On 04/24/2018 11:23 AM, Marcus Haarmann wrote: > OK, this is IBM JDK. The options might differ. I have been searching for > Oracle Java options. > You will need to consult the IBM documentation in this case. > > Marcus Haarmann > > ------------------------------------------------------------------------ > *Von: *"Lou DeGenaro" <lou.degen...@gmail.com> > *An: *"user" <user@cassandra.apache.org> > *Gesendet: *Dienstag, 24. April 2018 16:08:06 > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2? > > Thanks for your suggestions. I tried using the -D shown below: > > degenaro@bluej421:/users/degenaro/cassandra/bluej421> ./bin/cassandra > degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl > --interleave=all /share/ibm-jdk1.8/bin/java > -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello > -Xloggc:./bin/../logs/gc.log -XX:+UseParNewGC > -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled > -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 > -XX:CMSInitiatingOccupancyFraction=75 > -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000... > ... > WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by the socket > Exception (java.lang.IllegalArgumentException) encountered during > startup: SSLv2Hello is not a recognized protocol. > java.lang.IllegalArgumentException: SSLv2Hello is not a recognized > protocol. > at com.ibm.jsse2.S.a(S.java:112) > at com.ibm.jsse2.S.b(S.java:136) > at com.ibm.jsse2.S.<init>(S.java:177) > at com.ibm.jsse2.as.setEnabledProtocols(as.java:2) > at > > org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:67) > at > > org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:514) > at > > org.apache.cassandra.net.MessagingService.listen(MessagingService.java:498) > at > > org.apache.cassandra.net.MessagingService.listen(MessagingService.java:482) > at > > org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:765) > at > > org.apache.cassandra.service.StorageService.initServer(StorageService.java:654) > at > > org.apache.cassandra.service.StorageService.initServer(StorageService.java:534) > at > > org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:344) > at > > org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:568) > at > > org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:696) > ERROR 14:01:09 Exception encountered during startup > java.lang.IllegalArgumentException: SSLv2Hello is not a recognized > protocol. > > > Who is at fault: user, Cassandra, JVM, OS? > > Thanks. > > Lou. > > > > > > > On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann > <marcus.haarm...@midoco.de <mailto:marcus.haarm...@midoco.de>> wrote: > > Hi, > > I did take a look into the source code of 3.11, but I believe the > code is more or less the same. > The SSL code makes use of Java SSL Sockets so you can limit the > protocols in the "Java way". > The java way (at least for a recent Java 8) is to setup the > protocols in the <jre>/lib/security/java.security file. > Or to define a system property on the command line > (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello). > > There are multiple options for SSL configuration in the config > > (https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html) > The most interesting one in your situation would be the > cipher_suites option, which allows you > to limit the avaliable cipher suites e.g. > to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > (which is a TLS1.2-only cipher suite). > > You can check the offered protocols for your server with an open > source tool like sslyze (https://github.com/nabla-c0d3/sslyze) > > Marcus Haarmann > > ------------------------------------------------------------------------ > *Von: *"Lou DeGenaro" <lou.degen...@gmail.com > <mailto:lou.degen...@gmail.com>> > *An: *"user" <user@cassandra.apache.org > <mailto:user@cassandra.apache.org>> > *Gesendet: *Dienstag, 24. April 2018 11:21:06 > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2? > > Can someone please can tell me how to prevent Cassandra 3.0.9 from > using SSLv2? Happy to use a newer version of Cassandra if that's > what's required. > > On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro > <lou.degen...@gmail.com <mailto:lou.degen...@gmail.com>> wrote: > > 3.0.9 > > On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler > <mich...@pbandjelly.org <mailto:mich...@pbandjelly.org>> wrote: > > On 04/20/2018 08:46 AM, Lou DeGenaro wrote: > > Could you be more specific? What does one specify exactly to > assure > > SSLv2 is not used for both client-server and server-server > > communications? Example yaml statements would be wonderful. > > The defaults in cassandra.yaml have only TLS specified in > the current > branch HEADs. I'm pretty sure SSLv2/3 removal was a > post-POODLE commit. > It's possible you may be on something older - what version > are we > talking about? > > -- > Michael > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > user-unsubscr...@cassandra.apache.org > <mailto:user-unsubscr...@cassandra.apache.org> > For additional commands, e-mail: > user-h...@cassandra.apache.org > <mailto:user-h...@cassandra.apache.org> > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
