Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

payaln147_54505 avatar image
payaln147_54505 asked ·

dse cassandra nodes rejecting client connection over SSL encryption

I am running dse-5.1.12 and enabled client and server side encryption and below is my configuration


server_encryption_options:

internode_encryption: all

keystore: <Cassandra_Home>/conf/ashidmddbcass01p_keystore.jks

keystore_password: XXXXXXXXXXX

truststore: <Cassandra_Home>/conf/cassandra-truststore.jks

truststore_password: XXXXXXXXXXX

require_client_auth: true


client_encryption_options:

enabled: true

# If enabled and optional is set to true encrypted and unencrypted connections are handled.

optional: false

keystore: <Cassandra_Home>/conf/ashidmddbcass01p_keystore.jks

keystore_password: XXXXXXXXXXX

# require_client_auth: false

# Set trustore and truststore_password if require_client_auth is true

truststore: <Cassandra_Home>/conf/cassandra-truststore.jks

truststore_password: XXXXXXXXXXX


I am having below error frequently in my logs

INFO [Native-Transport-Requests:12] 2019-12-11 11:45:52,456 Message.java (line 397) Unexpected exception during request; 
org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 01000001000000160001000b43514c5f56455253494f4e0005332e302e30
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:871)

However, when I check application connection, there are 124.

cassandrasslencryption
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered ·

@payaln147_54505 the stack trace was incomplete but it usually means that there's an app/client connecting to node which is not configured with SSL. The exception is thrown because the server got a packet which is not encrypted.

It's not an issue server-side which is why it's logged at INFO level but there will be an application or client out there getting connection errors because it's not configured to use SSL. Cheers!

4 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Erick ,

I have set require_client_auth: false in client_encryption_options which according to my knowledge doesn't need to have a certificate created on application nodes.

Is there a specific setting from the app side I need to do in order to enable SSL?

0 Likes 0 · ·

@payaln147_54505 That's correct but your app servers still need to have the certificates to connect to the DSE nodes because you have enabled client-to-node encryption with:

client_encryption_options:
    enabled: true

For this to work, you need to configure your app to use encryption. For example, if your app is using the Java driver then follow the instructions in this document. Cheers!

0 Likes 0 · ·

Thank you, I was using python driver and had to tweak its a configuration in order to talk to SSL enabled Cassandra nodes, it's working fine now.

0 Likes 0 · ·
Show more comments