Update cassandra-stress default cipher suites to support tls 1.3

[omniCoder77]

Fixes: CASSANDRA-21007

Problem

cassandra-stress can not connect to tls 1.3 servers with the current default cipher suites (TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA) because they don't have perfect forward secrecy, which tls 1.3 needs.

What i changed

I updated the default cipher suites in the ssl-ciphers option to use modern ones that support PFS:
Old ciphers:

• TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  New ciphers:
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Why This Helps

• Fixes the tls 1.3 connection issue
• Adds perfect forward secrecy using ecdhe
• Switches from cbc to gcm which is more secure
• Still works with tls 1.2 servers

This is my first open source contribution, kindly let me know if i need to change anything or if there is any issue with my approach.

[Copilot]

Pull request overview

This PR updates the default cipher suites for cassandra-stress to support TLS 1.3 connections. The old RSA-based cipher suites (TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA) lack perfect forward secrecy (PFS), which is required by TLS 1.3, preventing connections to TLS 1.3 servers.

Key Changes:

• Updated default cipher suites from RSA-based to ECDHE-based variants that support perfect forward secrecy
• Changed from CBC to GCM mode for improved security
• Maintained backward compatibility with TLS 1.2 servers

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bschoening]

@omniCoder77 do we have to force a cipher here? Could it not just auto-negotiate?

See for example tools which don't appear to specify a particular cipher: https://github.com/apache/cassandra/blob/e1e39b074ac61f293d652b516a70c73b65c7ac3f/tools/sstableloader/src/org/apache/cassandra/tools/LoaderOptions.java

[omniCoder77]

That makes sense! auto-negotiation would be better than forcing specific
ciphers.
i'll update the pr to use an empty default.

[omniCoder77]

Shall I add a comment after empty string
// Empty = auto-negotiate

[bschoening]

// Default is to auto-negotiate

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Changing the default for ssl-ciphers to an empty string does not "auto-negotiate" with the current implementation. Because the value is split and passed directly to the cipher suite setter, an empty string yields an invalid suite entry and will break TLS configuration. Recommend keeping the default null/unspecified and only applying withCipherSuites(...) when the option is explicitly set, or update the builder to treat empty as "use provider defaults".

Suggested change

	"",
	null,

[Copilot]

The PR description states new defaults should be TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, but the code sets the default to an empty string. This is inconsistent and will not achieve the stated goal of supporting TLS 1.3 by default. Recommend setting these modern suites as the default value here, or clarifying in the help text that no default suites are applied and users must specify them.

Suggested change

	"",
	"SSL: comma delimited list of encryption suites to use", false);
	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
	"SSL: comma delimited list of encryption suites to use (default: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)", false);

[omniCoder77]

I updated the PR to use null value and similarly updated the explanation comment as the copilot suggested, shall I revert back to empty string, apologies for not asking for you approval.

[bschoening]

Ok, did you test it to ensure it works?

Would be good to run 'nodetool clientstats' to show the successful TLS 1.3 connection and put the output in the Jira

[omniCoder77]

Thanks for the suggestion. I’ll run nodetool clientstats and attach the output here shortly to confirm the TLS connection.

[omniCoder77]

I have confirmed and updated the connection status, connection using TLS 1.3 status and query execution check using null parameter for auto-negotiating on JIRA.

[omniCoder77]

Hi @bschoening , just just checking if there's anything else needed from my side for this to be merged. I have updated the JIRA as you said.

[jyothsnakonisa]

@omniCoder77 do you want help in merging this?

[omniCoder77]

@jyothsnakonisa Yes. I have updated the issue on JIRA. Just want to know if anything remains from my side for this PR to be merged. I'll be happy to do it.

[jyothsnakonisa]

@omniCoder77 I can help you with that, I do not see a test for validating the change that you made. can you confirm whether you have tested changes you made in this patch may be by running tlp-stress at least

[bschoening]

@omniCoder77 I have not had the time to test this yet, @jyothsnakonisa were you able to test the fix here?

[omniCoder77]

@jyothsnakonisa Could you clarify what tlp-stress refers to? Is it the same as cassandra-stress?
If so, I have tested the patch using cassandra-stress and uploaded the results here at the bottom of the page.

[jyothsnakonisa]

Oh sorry I meant Cassandra-stress, missed the result that you posted on the JIRA. I am going to merge this now.

[omniCoder77]

@jyothsnakonisa Thanks again for reviewing and merging, really appreciate it.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[omniCoder77]

@bschoening should i commit the suggestions copilot suggested?

[bschoening]

yes, please