Solved: Re: How to verify TLS version used by Cassandra in...

azharali49 · 07-23-2024 07:36 AM

In Apigee Hybrid, Cassandra's TLS and cipher suite choices are dictated by the JVM it uses.
Java will negotiate the highest supported protocol between the server and client, typically TLS v1.3 for internode and interpod communication, as well as between runtime and synchronizer.
For user-setup operations we do not specify the protocol version. Instead, we rely on default configuration, which attempts to negotiate the highest protocol version available.
For backup and restore pods, we use cqlsh to establish an SSL connection with the Cassandra server. cqlsh leverages Python's SSL package, which also negotiates the highest TLS protocol version available.
Upon starting Cassandra, the logs indicate the enabled TLS protocol versions:

INFO [main] 2024-06-01 13:14:12,381 YamlConfigurationLoader.java:97 - Configuration location: file:/opt/apigee/apache-cassandra-4.0.11/conf/cassandra.yaml
INFO [main] 2024-06-01 13:14:12,825 SSLFactory.java:521 - Internode messaging enabled TLS protocols: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
INFO [main] 2024-06-01 13:14:12,826 SSLFactory.java:524 - Internode messaging enabled cipher suites: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256

To verify the TLS version used by Cassandra, you can use the openssl s_client command against various ports

# kubectl get po -n apigee -o wide -l app=apigee-cassandra
NAME READY STATUS RESTARTS AGE IP
apigee-cassandra-default-0 1/1 Running 0 39h x.x.x.x
apigee-cassandra-default-1 1/1 Running 0 39h y.y.y.y
apigee-cassandra-default-2 1/1 Running 0 38h z.z.z.z

Example commands to check TLS versions

# openssl s_client -connect x.x.x.x:7001 -tls1_2
# openssl s_client -connect x.x.x.x:7001 -tls1_3
# openssl s_client -connect x.x.x.x:7070 -tls1_2
# openssl s_client -connect x.x.x.x:7070 -tls1_3
# openssl s_client -connect x.x.x.x:7199 -tls1_2
# openssl s_client -connect x.x.x.x:7199 -tls1_3
# openssl s_client -connect x.x.x.x:9042 -tls1_2
# openssl s_client -connect x.x.x.x:9042 -tls1_3
# openssl s_client -connect x.x.x.x:9142 -tls1_2
# openssl s_client -connect x.x.x.x:9142 -tls1_3

Use these commands to ensure that the highest possible TLS version is being used for secure communication within your Apigee Hybrid deployment.
In a similar way you can enter anyone cassandra pod and verify TLS version using openssl commands.

azharali49

Thank you for your reply.
The details of Java Version is as below from Apigee Hybrid 1.12 test setup;

# helm version
version.BuildInfo{Version:"v3.15.1", GitCommit:"e211f2aa62992bd72586b395de50979e31231829", GitTreeState:"clean", GoVersion:"go1.22.3"}

# kubectl version
Client Version: v1.29.5
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.6-gke.1038001

# java -version
openjdk version "1.8.0_422"
OpenJDK Runtime Environment (build 1.8.0_422-b05)
OpenJDK 64-Bit Server VM (build 25.422-b05, mixed mode)

# kubectl -n apigee exec -it apigee-runtime-azharshaikh-hyb-envtesthybrid-xx-yy-zz -- java --version
openjdk 11.0.22 2024-01-16
OpenJDK Runtime Environment (build 11.0.22+7-post-Debian-1deb10u1)
OpenJDK 64-Bit Server VM (build 11.0.22+7-post-Debian-1deb10u1, mixed mode, sharing)

Currently, there are no configurable parameter for TLS protocol version in Cassandra for Apigee Hybrid.

View solution in original post

dchiesa1

Thanks for this. a copuiple questions.

1. is this accurate?

Cassandra's TLS and cipher suite choices are dictated by the JVM it uses, which is currently Java 1.7.

Is it not Java 11?

https://cloud.google.com/apigee/docs/hybrid/supported-platforms

2. is there a way to restrict the TLS version to a subset, for example TLS v1.2 or TLSv1.3, to the exclusion of TLSv1.1 and TLSv1 ? And similar question regarding the ciphersuites. I know this is possible in Java. How is it done in Apigee hybrid for the Cassandra nodes?

azharali49

Thank you for your reply.
The details of Java Version is as below from Apigee Hybrid 1.12 test setup;

# helm version
version.BuildInfo{Version:"v3.15.1", GitCommit:"e211f2aa62992bd72586b395de50979e31231829", GitTreeState:"clean", GoVersion:"go1.22.3"}

# kubectl version
Client Version: v1.29.5
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.6-gke.1038001

# java -version
openjdk version "1.8.0_422"
OpenJDK Runtime Environment (build 1.8.0_422-b05)
OpenJDK 64-Bit Server VM (build 25.422-b05, mixed mode)

# kubectl -n apigee exec -it apigee-runtime-azharshaikh-hyb-envtesthybrid-xx-yy-zz -- java --version
openjdk 11.0.22 2024-01-16
OpenJDK Runtime Environment (build 11.0.22+7-post-Debian-1deb10u1)
OpenJDK 64-Bit Server VM (build 11.0.22+7-post-Debian-1deb10u1, mixed mode, sharing)

Currently, there are no configurable parameter for TLS protocol version in Cassandra for Apigee Hybrid.

How to verify TLS version used by Cassandra in Apigee Hybrid for internode, intranode, interpod and