Re: [CVE-2020-17516] Apache Cassandra internode encryption enforcement vulnerability

2021-02-01 Thread Aleksey Yeschenko
Correction: 3.11.x users should upgrade to 3.11.10. 3.11.24 doesn’t exist. Yet. > On 1 Feb 2021, at 18:22, Aleksey Yeschenko wrote: > > CVE-2020-17516: Apache Cassandra doesn't enforce encryption setting on > inbound internode connections > > Severity: > Important > > Vendor: > The Apache Sof

Re: [CVE-2020-17516] Apache Cassandra internode encryption enforcement vulnerability

2021-02-01 Thread Valerie Parham-Thompson
This is fixed in config defaults in 3.11.10 or there is something else within the code that fixes? (Are both patch and config change required?) Can you share the Jira ticket? I'm not finding details on search. Valerie > On Feb 1, 2021, at 1:23 PM, Aleksey Yeschenko wrote: > > CVE-2020-17516:

[CVE-2020-17516] Apache Cassandra internode encryption enforcement vulnerability

2021-02-01 Thread Aleksey Yeschenko
CVE-2020-17516: Apache Cassandra doesn't enforce encryption setting on inbound internode connections Severity: Important Vendor: The Apache Software Foundation Versions Affected: Cassandra 2.1.0 to 2.1.22 Cassandra 2.2.0 to 2.2.19 Cassandra 3.0.0 to 3.0.23 Cassandra 3.11.0 to 3.11.9 Descriptio

Re: unable to gossip with peers exception when internode encryption is set to any setting other than 'none'

2019-08-28 Thread Michael Carlise
For clarity for anybody that comes to this chain in the archive. This might be an issue with Ec2MultiRegionSnitch all together; not sure. But if I create a local 3 node cluster using ccm (cassandra v 3.11.4). I can drop the keystore/truststore jks files in, and flip encryption and everything wor

Re: unable to gossip with peers exception when internode encryption is set to any setting other than 'none'

2019-08-28 Thread Michael Carlise
telnet from node 1 -> node2 7001 (and 7000) works. However, I can't rule out a JKS keystore/truststore issue. I have tried a number of configurations and none of them have seemed to help (or emit any further error logging). We have a root and intermediate CA cert, and a private key + signed CSR

Re: unable to gossip with peers exception when internode encryption is set to any setting other than 'none'

2019-08-26 Thread Subroto Barua
could be issue with keystore/trustore --- you may want to do keytool -- list  -- validate the files/password; also do md5sum on files from 1 node in west and 1 node in east.check ssl port 7001 --- from 1 node in west --> telnet :7001 (or custom port if you are not using default port) On Mond

Re: unable to gossip with peers exception when internode encryption is set to any setting other than 'none'

2019-08-26 Thread Michael Carlise
Subroto - both tools error; openssl errno 111 - which made me check bound ports on the c* node with encryption flipped. Port 9042 is not open (determined by netstat -ant). Looking at the log differences for when a node is started with/without encryption. Without encryption, I get a bunch of lin

Re: unable to gossip with peers exception when internode encryption is set to any setting other than 'none'

2019-08-26 Thread Michael Carlise
The version given by apt is 8u162-b12-1. Which I think corresponds to openJDK-8-162. When I run jrunscript -e 'print (javax.crypto.Cipher.getMaxAllowedKeyLength("RC5") >= 256);' the command returns true. Not sure if that is the best way to verify JCE installed. Michael Carlise On Mon, Aug 26,

Re: unable to gossip with peers exception when internode encryption is set to any setting other than 'none'

2019-08-26 Thread Subroto Barua
Michael, Are you able to connect to any c* node via OpenSSL? Openssl s_client -connect :9042 Cqlsh —ssl Subroto > On Aug 26, 2019, at 2:47 PM, Marc Selwan wrote: > > which exact version of OpenJDK are you using? Is it possible you don't have > JCE on those nodes? (I believe more recent v

Re: unable to gossip with peers exception when internode encryption is set to any setting other than 'none'

2019-08-26 Thread Marc Selwan
which exact version of OpenJDK are you using? Is it possible you don't have JCE on those nodes? (I believe more recent versions of Java 8 has this baked in so that might not be it) *Marc Selwan | *DataStax *| *PM, Server Team *|* *(925) 413-7079* *|* Twitter * Q

unable to gossip with peers exception when internode encryption is set to any setting other than 'none'

2019-08-26 Thread Michael Carlise
I originally opened this issue on stackoverflow ( https://stackoverflow.com/questions/57516660/cassandra-node-to-node-encryption-throws-unable-to-gossip-with-peers-exception ). However, I haven't gotten any responses in over a week. I'm going to post it here and maybe someone will have an idea on

RE: Issue in internode encryption in cassandra

2016-08-03 Thread Bastien DINE
(prabhkau) Objet : Re: Issue in internode encryption in cassandra Hi, Is any one have any hint regarding node to node encryption . Regards, Ashwini Mhatre From: asmhatre mailto:asmha...@cisco.com>> Reply-To: "user@cassandra.apache.org<mailto:user@cassandra.apache.org&

Re: Issue in internode encryption in cassandra

2016-08-03 Thread Ashwini Mhatre (asmhatre)
ly 2016 at 4:15 PM To: "user@cassandra.apache.org<mailto:user@cassandra.apache.org>" mailto:user@cassandra.apache.org>> Subject: Issue in internode encryption in cassandra I am using internode encryption in cassandra, with self signed CA it works fine. but with ot

Re: Issue in internode encryption in cassandra

2016-07-25 Thread Nate McCall
> > > I am using internode encryption in cassandra, with self signed CA it works fine. but with other product CA m getting this error "Filtering out TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket” > You've specified E

Re: Issue in internode encryption in cassandra

2016-07-25 Thread Eric Stevens
va Ciphers.java Compare the output to be certain the same ciphers are available everywhere. On Mon, Jul 25, 2016 at 4:45 AM Ashwini Mhatre (asmhatre) < asmha...@cisco.com> wrote: > Hi , > > I am using internode encryption in cassandra, with self signed CA it works > fine. but wit

Issue in internode encryption in cassandra

2016-07-25 Thread Ashwini Mhatre (asmhatre)
Hi , I am using internode encryption in cassandra, with self signed CA it works fine. but with other product CA m getting this error "Filtering out TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as it isnt supported by the socket” Thank you. Regards, Ashwini Mhatre

Re: Internode encryption

2014-08-17 Thread shathawa
> Hi, > > Is it possible to enable internode encryption without downtime? That is, > by enabling it incrementally one node at a time. [1] doesn't mention > anything about that. > > > [1] http://wiki.apache.org/cassandra/InternodeEncryption > > > Thanks, >

Internode encryption

2014-08-17 Thread Jens Rantil
Hi, Is it possible to enable internode encryption without downtime? That is, by enabling it incrementally one node at a time. [1] doesn't mention anything about that. [1] http://wiki.apache.org/cassandra/InternodeEncryption Thanks, Jens — Sent from Mailbox

Re: How to configure internode encryption in 0.8.0?

2011-05-19 Thread Christopher Deutsch
On Tue, May 17, 2011 at 5:47 PM, Sameer Farooqui wrote: > > Unfortunately, the default instructions in the above link > used TLS_RSA_WITH_AES_256_CBC_SHA. So, when I start Cassandra now, I get this > error: > ERROR 00:10:38,734 Exception encountered during startup. > java.lang.IllegalArgumentExc

Re: How to configure internode encryption in 0.8.0?

2011-05-19 Thread Sameer Farooqui
Thanks, Jeremy! Nirmal, any advice on how to generate the key/trust stores with the correct cipher? - Sameer On Wed, May 18, 2011 at 8:10 AM, Jeremy Hanna wrote: > I'll CC Nirmal Ranganathan who implemented the internode encryption who > might be able to give you some advice on t

Re: How to configure internode encryption in 0.8.0?

2011-05-18 Thread Jeremy Hanna
I'll CC Nirmal Ranganathan who implemented the internode encryption who might be able to give you some advice on this. On May 17, 2011, at 7:47 PM, Sameer Farooqui wrote: > Thanks for the link, Jeremy. > > I generated the keystore and truststore for inter-node communication usi

Re: How to configure internode encryption in 0.8.0?

2011-05-17 Thread Sameer Farooqui
ownload at the very bottom. > There are docs and examples there. > e.g. > http://svn.apache.org/repos/asf/cassandra/tags/cassandra-0.8.0-beta2/conf/cassandra.yaml > > On May 16, 2011, at 6:36 PM, Sameer Farooqui wrote: > > > I understand that 0.8.0 has configurable i

Re: How to configure internode encryption in 0.8.0?

2011-05-16 Thread Jeremy Hanna
has configurable internode encryption > (CASSANDRA-1567, 2152). > > I haven't been able to find any info on how to configure it though on this > mailing list or the Datastax website. > > Can somebody point me towards how to set this up? > > - Sameer

How to configure internode encryption in 0.8.0?

2011-05-16 Thread Sameer Farooqui
I understand that 0.8.0 has configurable internode encryption (CASSANDRA-1567, 2152). I haven't been able to find any info on how to configure it though on this mailing list or the Datastax website. Can somebody point me towards how to set this up? - Sameer