Datastax Java Driver TLS Support

[magnusart]

Hi

I poked around in the code and could not find any support for TLS (SSL). Is this planned or excluded on purpose? When running Cassandra in the Cloud it feels like a good idea to have traffic encrypted.

It looks as if the DataStax driver has support for this already so adding the configuration setting clusterBuilder.withSSL() in CassandraPluginConfig would work.

The enables the user to supply keystore+truststore with JSSE. Of course full configurability is even nicer.

How to set this up with the DataStax driver is described in a blogpost:
http://www.datastax.com/dev/blog/accessing-secure-dse-clusters-with-cql-native-protocol

I can give this a try and contribute on this if you wish to have some help.

[krasserm]

Hi Magnus,

thanks for offering help. @elmalto started working on it and created pull request #53. @elmalto are you still planning to continue with it?

[magnusart]

Cool. I actually did a quick test last night by adding the withSSL() and adding the JSSE runtime JVM parameters to spray-revolver, but it didn't work out of the box with my setup.

I could continue on the work started by @elmato and test it if he is occupied.

[krasserm]

@magnusart sound good to me!

[elmato]

@magnusart i think you are referring to @elmalto (Yes .. tricky nick names :) )

[malterb]

Hey @magnusart, it would be amazing if you could continue it. I currently don't know when I would find time for it :)

[magnusart]

@elmalto I gave it a go already yesterday. :)

I refactored the a bit, basically to close the input streams. But I could not get the SSL connection to happen.

In the Cassandra logs I get a message that claims the data sent was not a SSL-handshake and when I look at the data being sent it is "CQL3.0". Did you successfully test SSL-connection?

I can connect to my cluster using the DataStax DevCenter with the same truststore/keystore successfully. So I believe my setup is OK.

Will try to debug a bit tonight, did not have time yesterday. Hoping it is just something simple, like a config error.

[malterb]

@magnusart it works, but on other projects I've had issues with getResource. I think it will silently fall back to not using your provided keystore if it doesn't find the file

[magnusart]

@elmalto thanks, as I suspected I had some strange state where my project did not accept my locally published version (even when using -SNAPSHOT). I actually already fixed the JKS when file not found. I throw an error if the path is incorrect.

@kasserm I have created a new pull request

Pull request: #59

[magnusart]

Hi

Would you mind publishing a SNAPSHOT version with this included? I want to use this for dev and I'd rather like to track your repo than publish it by myself.

[krasserm]

Bintray doesn't allow publication of snapshot versions. I initially planned to do further work on this plugin before making the next release. But if you'd like I can cut a 0.3.9 release next week. Please let me know.

[magnusart]

Hi, that would be great if it is not too much work.

By the way. After looking a bit more I have added an issue at cassandra-unit to see if I can get some answers around wether they support SSL: jsevellec/cassandra-unit#126

[krasserm]

@magnusart 0.3.9 containing your changes is released.

[magnusart]

Many thanks!

[krasserm]

You're welcome. Thank you for your contribution!