dse cassandra nodes rejecting client connection over SSL encryption

Question

question

payaln147_54505 asked Dec 11, '19 Erick Ramirez commented Dec 12, '19

dse cassandra nodes rejecting client connection over SSL encryption

I am running dse-5.1.12 and enabled client and server side encryption and below is my configuration

server_encryption_options:

internode_encryption: all

keystore: <Cassandra_Home>/conf/ashidmddbcass01p_keystore.jks

keystore_password: XXXXXXXXXXX

truststore: <Cassandra_Home>/conf/cassandra-truststore.jks

truststore_password: XXXXXXXXXXX

require_client_auth: true

client_encryption_options:

enabled: true

# If enabled and optional is set to true encrypted and unencrypted connections are handled.

optional: false

keystore: <Cassandra_Home>/conf/ashidmddbcass01p_keystore.jks

keystore_password: XXXXXXXXXXX

# require_client_auth: false

# Set trustore and truststore_password if require_client_auth is true

truststore: <Cassandra_Home>/conf/cassandra-truststore.jks

truststore_password: XXXXXXXXXXX

I am having below error frequently in my logs

INFO [Native-Transport-Requests:12] 2019-12-11 11:45:52,456 Message.java (line 397) Unexpected exception during request; 
org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 01000001000000160001000b43514c5f56455253494f4e0005332e302e30
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:871)

However, when I check application connection, there are 124.

cassandra encryption ssl

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

DataStax Enterprise is powered by the best distribution of Apache Cassandra ™

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Privacy Policy Terms of Use

Answer 1 · 2019-12-11T10:32:15Z

Erick Ramirez answered Dec 11, '19 Erick Ramirez commented Dec 12, '19

@payaln147_54505 the stack trace was incomplete but it usually means that there's an app/client connecting to node which is not configured with SSL. The exception is thrown because the server got a packet which is not encrypted.

It's not an issue server-side which is why it's logged at INFO level but there will be an application or client out there getting connection errors because it's not configured to use SSL. Cheers!

4 Share

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

payaln147_54505 commented · Dec 11, 2019 at 12:06 PM

Erick ,

I have set require_client_auth: false in client_encryption_options which according to my knowledge doesn't need to have a certificate created on application nodes.

Is there a specific setting from the app side I need to do in order to enable SSL?

0 ·

Erick Ramirez ♦♦ payaln147_54505 commented · Dec 12, 2019 at 05:09 AM

@payaln147_54505 That's correct but your app servers still need to have the certificates to connect to the DSE nodes because you have enabled client-to-node encryption with:

client_encryption_options:
    enabled: true

For this to work, you need to configure your app to use encryption. For example, if your app is using the Java driver then follow the instructions in this document. Cheers!

0 ·

payaln147_54505 Erick Ramirez ♦♦ commented · Dec 12, 2019 at 06:45 AM

Thank you, I was using python driver and had to tweak its a configuration in order to talk to SSL enabled Cassandra nodes, it's working fine now.

0 ·

Show more comments

question