The hard-coded protocol selection has been remove in one of the 3.x releases. You may want to consider updating to the latest 3.11 release.
On 24.04.18 19:21, Lou DeGenaro wrote: > Here's is what I was told by IBM JVM Support: > > ...the string "SSLv2Hello" is not supported in IBM JVM but more > importantly, the protocol SSLv2 is no longer a valid protocol in > our JVM. We don't even have SSLv3 enabled by default due to the > HIGH severity vulnerabilities this protocol has. > > Is there anything I can do to use IBM JVM and Cassandra with encryption? > > Thanks. > > Lou. > > On Tue, Apr 24, 2018 at 12:41 PM, Michael Shuler > <mich...@pbandjelly.org <mailto:mich...@pbandjelly.org>> wrote: > > Correct! > > Thanks for the trace, Lou. > > SSLFactory.java:67 specifies a list of protocols, including > SSLv2Hello. > > "It [IBM JSSE] does not support specifying SSLv2Hello." > > https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/knowndiffsun.html > > <https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/knowndiffsun.html> > > Apache Cassandra is tested on Oracle JDK and OpenJDK. Use a supported > version of either of those, and this problem should go away. > Alternatively, do a custom build of Cassandra, if you must run a > little-used JDK? > > Also, just for a little additional info, SSLv2Hello != SSLv2, so I do > not believe that there is a worry about some weak protocol here. > https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4915862 > <https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4915862> > > -- > Kind regards, > Michael > > On 04/24/2018 11:23 AM, Marcus Haarmann wrote: > > OK, this is IBM JDK. The options might differ. I have been > searching for > > Oracle Java options. > > You will need to consult the IBM documentation in this case. > > > > Marcus Haarmann > > > > > ------------------------------------------------------------------------ > > *Von: *"Lou DeGenaro" <lou.degen...@gmail.com > <mailto:lou.degen...@gmail.com>> > > *An: *"user" <user@cassandra.apache.org > <mailto:user@cassandra.apache.org>> > > *Gesendet: *Dienstag, 24. April 2018 16:08:06 > > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2? > > > > Thanks for your suggestions. I tried using the -D shown below: > > > > degenaro@bluej421:/users/degenaro/cassandra/bluej421> > ./bin/cassandra > > degenaro@bluej421:/users/degenaro/cassandra/bluej421> numactl > > --interleave=all /share/ibm-jdk1.8/bin/java > > -Dhttps.protocols=TLSv1.2,TLSv1.1,SSLv2Hello > > -Xloggc:./bin/../logs/gc.log -XX:+UseParNewGC > > -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled > > -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 > > -XX:CMSInitiatingOccupancyFraction=75 > > -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000... > > ... > > WARN 14:01:09 Filtering out [TLS_RSA_WITH_AES_128_CBC_SHA, > > TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] as it isn't supported by > the socket > > Exception (java.lang.IllegalArgumentException) encountered > during > > startup: SSLv2Hello is not a recognized protocol. > > java.lang.IllegalArgumentException: SSLv2Hello is not a > recognized > > protocol. > > at com.ibm.jsse2.S.a(S.java:112) > > at com.ibm.jsse2.S.b(S.java:136) > > at com.ibm.jsse2.S.<init>(S.java:177) > > at com.ibm.jsse2.as > <http://com.ibm.jsse2.as>.setEnabledProtocols(as.java:2) > > at > > > > org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:67) > > at > > org.apache.cassandra.net > > <http://org.apache.cassandra.net>.MessagingService.getServerSockets(MessagingService.java:514) > > at > > org.apache.cassandra.net > > <http://org.apache.cassandra.net>.MessagingService.listen(MessagingService.java:498) > > at > > org.apache.cassandra.net > > <http://org.apache.cassandra.net>.MessagingService.listen(MessagingService.java:482) > > at > > > > org.apache.cassandra.service.StorageService.prepareToJoin(StorageService.java:765) > > at > > > > org.apache.cassandra.service.StorageService.initServer(StorageService.java:654) > > at > > > > org.apache.cassandra.service.StorageService.initServer(StorageService.java:534) > > at > > > > org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:344) > > at > > > > org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:568) > > at > > > > org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:696) > > ERROR 14:01:09 Exception encountered during startup > > java.lang.IllegalArgumentException: SSLv2Hello is not a > recognized > > protocol. > > > > > > Who is at fault: user, Cassandra, JVM, OS? > > > > Thanks. > > > > Lou. > > > > > > > > > > > > > > On Tue, Apr 24, 2018 at 9:43 AM, Marcus Haarmann > > <marcus.haarm...@midoco.de <mailto:marcus.haarm...@midoco.de> > <mailto:marcus.haarm...@midoco.de > <mailto:marcus.haarm...@midoco.de>>> wrote: > > > > Hi, > > > > I did take a look into the source code of 3.11, but I > believe the > > code is more or less the same. > > The SSL code makes use of Java SSL Sockets so you can limit the > > protocols in the "Java way". > > The java way (at least for a recent Java 8) is to setup the > > protocols in the <jre>/lib/security/java.security file. > > Or to define a system property on the command line > > (-Dhttps.protocols = TLSv1.2,TLSv1.1,SSLv2Hello). > > > > There are multiple options for SSL configuration in the config > > > > (https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html > > <https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureSSLNodeToNode.html>) > > The most interesting one in your situation would be the > > cipher_suites option, which allows you > > to limit the avaliable cipher suites e.g. > > to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > > (which is a TLS1.2-only cipher suite). > > > > You can check the offered protocols for your server with an open > > source tool like sslyze > (https://github.com/nabla-c0d3/sslyze > <https://github.com/nabla-c0d3/sslyze>) > > > > Marcus Haarmann > > > > > ------------------------------------------------------------------------ > > *Von: *"Lou DeGenaro" <lou.degen...@gmail.com > <mailto:lou.degen...@gmail.com> > > <mailto:lou.degen...@gmail.com <mailto:lou.degen...@gmail.com>>> > > *An: *"user" <user@cassandra.apache.org > <mailto:user@cassandra.apache.org> > > <mailto:user@cassandra.apache.org > <mailto:user@cassandra.apache.org>>> > > *Gesendet: *Dienstag, 24. April 2018 11:21:06 > > *Betreff: *Re: How to configure Cassandra to NOT use SSLv2? > > > > Can someone please can tell me how to prevent Cassandra > 3.0.9 from > > using SSLv2? Happy to use a newer version of Cassandra if > that's > > what's required. > > > > On Sat, Apr 21, 2018 at 8:30 AM, Lou DeGenaro > > <lou.degen...@gmail.com <mailto:lou.degen...@gmail.com> > <mailto:lou.degen...@gmail.com <mailto:lou.degen...@gmail.com>>> > wrote: > > > > 3.0.9 > > > > On Fri, Apr 20, 2018 at 10:26 PM, Michael Shuler > > <mich...@pbandjelly.org <mailto:mich...@pbandjelly.org> > <mailto:mich...@pbandjelly.org <mailto:mich...@pbandjelly.org>>> > wrote: > > > > On 04/20/2018 08:46 AM, Lou DeGenaro wrote: > > > Could you be more specific? What does one specify > exactly to assure > > > SSLv2 is not used for both client-server and > server-server > > > communications? Example yaml statements would be > wonderful. > > > > The defaults in cassandra.yaml have only TLS > specified in > > the current > > branch HEADs. I'm pretty sure SSLv2/3 removal was a > > post-POODLE commit. > > It's possible you may be on something older - what > version > > are we > > talking about? > > > > -- > > Michael > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > user-unsubscr...@cassandra.apache.org > <mailto:user-unsubscr...@cassandra.apache.org> > > <mailto:user-unsubscr...@cassandra.apache.org > <mailto:user-unsubscr...@cassandra.apache.org>> > > For additional commands, e-mail: > > user-h...@cassandra.apache.org > <mailto:user-h...@cassandra.apache.org> > > <mailto:user-h...@cassandra.apache.org > <mailto:user-h...@cassandra.apache.org>> > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > <mailto:user-unsubscr...@cassandra.apache.org> > For additional commands, e-mail: user-h...@cassandra.apache.org > <mailto:user-h...@cassandra.apache.org> > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
