Uploaded image for project: 'Debezium'
  1. Debezium
  2. DBZ-3262

Add more parameters to TLS support

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Done
    • Icon: Major Major
    • 1.5.0.CR1
    • 1.5.0.Beta1
    • cassandra-connector
    • None

      Hello,

      for moment, when we want to configure TLS connections with Cassandra, we are limited with the default ciphers supported by Netty.

      Here an extract of the starting log:

      *** ClientHello, TLSv1.2
RandomCookie: GMT: 1615387530 bytes = { 98, 186, 19, 160, 108, 83, 50, 58, 65, 217, 199, 250, 59, 195, 11, 137, 153, 189, 1, 118, 115, 190, 194, 32, 243, 141, 173, 220 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension renegotiation_info, renegotiated_connection: <empty>
***

       

      If for any reason, which is my case of course , you did not configure one use one of them, you can't enable TLS connections with Cassandra.

      It will be nice to have at least for example:

      • cassandra.ssl.enabledProtocols
      • cassandra.ssl.ciphersuites

      Can you improve this ?

            [DBZ-3262] Add more parameters to TLS support

            Debezium Builder added a comment -

            Released

            Debezium Builder added a comment - Released

            Gunnar Morling added a comment -

            Code PR merged; leaving issue open until the new option has been added to the connector docs, too.

            Gunnar Morling added a comment - Code PR merged; leaving issue open until the new option has been added to the connector docs, too.

            Gunnar Morling added a comment -

            Excellent, thanks all! Looking forward to the PR then!

            Gunnar Morling added a comment - Excellent, thanks all! Looking forward to the PR then!

            Ahmed Eljami (Inactive) added a comment -

            thanks bingqinzhou and yeah we will test it before doing the PR.

            Cheers

             

            Ahmed Eljami (Inactive) added a comment - thanks bingqinzhou and yeah we will test it before doing the PR. Cheers  

            Bingqin Zhou (Inactive) added a comment -

            I'm ok with the change as long as it doesn't break or require any further change to the current use case. When testing it, please make sure that Cassandra Connector can work well as normal without needing to make any changes in ssl config file and cdc config file, thanks.

            Bingqin Zhou (Inactive) added a comment - I'm ok with the change as long as it doesn't break or require any further change to the current use case. When testing it, please make sure that Cassandra Connector can work well as normal without needing to make any changes in ssl config file and cdc config file, thanks.

            Ahmed Eljami (Inactive) added a comment - - edited

            Thanks jeremyvigny

            it could help users using cipher suites that cannot be found in the default suites.

            bingqinzhouWDYT about this improvement? In our environment, we are using the cipher suites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 that doesn't exist with the default list of cipher and we need to add it to the SslContextBuilder (https://github.com/debezium/debezium-connector-cassandra/blob/082da6e18cf2020318e95e04707661f90d757092/src/main/java/io/debezium/connector/cassandra/network/SslContextFactory.java#L56)

            As jeremyvigny pointed it, it will be a parameter (optional) that user can change with the right cipher if necessary

            Ahmed Eljami (Inactive) added a comment - - edited Thanks jeremyvigny it could help users using cipher suites that cannot be found in the default suites. bingqinzhou WDYT about this improvement? In our environment, we are using the cipher suites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 that doesn't exist with the default list of cipher and we need to add it to the SslContextBuilder ( https://github.com/debezium/debezium-connector-cassandra/blob/082da6e18cf2020318e95e04707661f90d757092/src/main/java/io/debezium/connector/cassandra/network/SslContextFactory.java#L56) As jeremyvigny pointed it, it will be a parameter (optional) that user can change with the right cipher if necessary

            Jeremy Vigny (Inactive) added a comment -

            Hey, I'm working with albundy83 and ahmedjami
            I just added the folowing lines to this class

            List<String> cipherSuites = new ArrayList<String>();
cipherSuites.add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
builder.ciphers(cipherSuites);

            I tested with cassandra and it's working
            We just need to improve it a bit (read the cipher suites from the properties file)

            Jeremy Vigny (Inactive) added a comment - Hey, I'm working with albundy83 and ahmedjami I just added the folowing lines to this class List< String > cipherSuites = new ArrayList< String >(); cipherSuites.add( "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ); builder.ciphers(cipherSuites); I tested with cassandra and it's working We just need to improve it a bit (read the cipher suites from the properties file)

            Grégoire Bellon-Gervais (Inactive) added a comment -

            Unfortunatelly no, as all the values available are here :

            https://github.com/debezium/debezium-connector-cassandra/blob/main/src/main/java/io/debezium/connector/cassandra/network/SslConfig.java

            I will see if we can do a PR to help the resolution

            Grégoire Bellon-Gervais (Inactive) added a comment - Unfortunatelly no, as all the values available are here : https://github.com/debezium/debezium-connector-cassandra/blob/main/src/main/java/io/debezium/connector/cassandra/network/SslConfig.java I will see if we can do a PR to help the resolution

            Jiri Pechanec added a comment -

            albundy83 Is not it possible to add those options into https://debezium.io/documentation/reference/1.4/connectors/cassandra.html#cassandra-property-cassandra-ssl-config-path ?

            Jiri Pechanec added a comment - albundy83  Is not it possible to add those options into https://debezium.io/documentation/reference/1.4/connectors/cassandra.html#cassandra-property-cassandra-ssl-config-path  ?

            Gunnar Morling added a comment -

            Yes, surely things can be improved here. Would you be willing to send a PR, that'd probably the quickest way to move forward. Pinging bingqinzhou for awareness too.

            Gunnar Morling added a comment - Yes, surely things can be improved here. Would you be willing to send a PR, that'd probably the quickest way to move forward. Pinging bingqinzhou for awareness too.

              Unassigned Unassigned
              albundy83 Grégoire Bellon-Gervais (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: