new option to ignore incoming connection encryption if set #3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
c2f24d2 The commit disallows unencrypted connection when the node expects encrypted connection. In simpler words, As soon as node is configured with encryption(nodeA) it wont accept unencrypted connection (nodeB. nodeC). And inserts with consistency 2 in a 3 node(nodeA, nodeB, nodeC) cluster would stop working a soon as (nodeB) goes down, even though 2 nodes (nodeA [expects encryption], and nodeC [encryption-not-configured]) are up. That commit includes test and inside those tests is a comment to further clarify the situation: /* * instance (1) won't connect to (2), since (2) won't have a TLS listener; * instance (2) won't connect to (1), since inbound check will reject * the unencrypted connection attempt; * * without the patch, instance (2) *CAN* connect to (1), without encryption, * despite being in a different dc. */ Here instance1 is configured to have encryption (across DC's) and instance(2) not at all. They belong to diffierent DC's The patch add a new option. This options when set allows control over enforcing the above decision (to terminate NON-SSL connection when SSL is configured). If the option is set to true the check is enforced and do not otherwise (also enforce if the option is not set, keeping the behaviour backward compatible)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
c2f24d2
The commit disallows unencrypted connection when the node expects
encrypted connection.
In simpler words, As soon as node is configured with encryption(nodeA) it
wont accept unencrypted connection (nodeB. nodeC). And inserts with
consistency 2 in a 3 node(nodeA, nodeB, nodeC) cluster would stop
working a soon as (nodeB) goes down, even though 2 nodes (nodeA [expects
encryption], and nodeC [encryption-not-configured]) are up.
That commit includes test and inside those tests is a comment to further
clarify the situation:
Here instance1 is configured to have encryption (across DC's) and
instance(2) not at all. They belong to diffierent DC's
The patch add a new option. This options when set allows control over
enforcing the above decision (to terminate NON-SSL connection when SSL
is configured). If the option is set to true the check is enforced and
do not otherwise (also enforce if the option is not set, keeping the
behaviour backward compatible)