From 1d46204b988ab462a48378903e89a428169fd9da Mon Sep 17 00:00:00 2001 From: Rishabh Saraswat Date: Fri, 28 Nov 2025 01:20:40 +0530 Subject: [PATCH 1/7] Fix cassandra-stress default ciphers for TLS 1.3 compatibility in SettingsTransport.java Fix cassandra-stress TLS 1.3 handshake failures by updating default ciphers - Replace TLS_RSA_WITH_* cipher suites with TLS_ECDHE_RSA_WITH_* variants - Enable Perfect Forward Secrecy and TLS 1.3 compatibility - Align with NIST SP 800-52 and RFC 8446 security standards - Maintain backward compatibility with existing RSA certificates --- .../org/apache/cassandra/stress/settings/SettingsTransport.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java index ccdf0a53b207..2112ac1a375c 100644 --- a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java +++ b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java @@ -89,7 +89,7 @@ static class TOptions extends GroupedOptions implements Serializable final OptionSimple protocol = new OptionSimple("ssl-protocol=", ".*", "TLS", "SSL: connection protocol to use", false); final OptionSimple alg = new OptionSimple("ssl-alg=", ".*", null, "SSL: algorithm", false); final OptionSimple ciphers = new OptionSimple("ssl-ciphers=", ".*", - "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "SSL: comma delimited list of encryption suites to use", false); @Override From 2c4a0df0c79eb2d17ee8eef6ae1297e7d533764f Mon Sep 17 00:00:00 2001 From: Rishabh Saraswat Date: Sun, 30 Nov 2025 09:49:40 +0530 Subject: [PATCH 2/7] Reorder cipher suites for better performance, putting 128 bit ciper before. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../org/apache/cassandra/stress/settings/SettingsTransport.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java index 2112ac1a375c..0c84bd741655 100644 --- a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java +++ b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java @@ -89,7 +89,7 @@ static class TOptions extends GroupedOptions implements Serializable final OptionSimple protocol = new OptionSimple("ssl-protocol=", ".*", "TLS", "SSL: connection protocol to use", false); final OptionSimple alg = new OptionSimple("ssl-alg=", ".*", null, "SSL: algorithm", false); final OptionSimple ciphers = new OptionSimple("ssl-ciphers=", ".*", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "SSL: comma delimited list of encryption suites to use", false); @Override From acb5d561830f4e08f14a27ba65ec1e18992e0a0c Mon Sep 17 00:00:00 2001 From: Rishabh Saraswat Date: Mon, 1 Dec 2025 23:14:55 +0530 Subject: [PATCH 3/7] Allow cipher auto-negotiation instead of forcing defaults --- .../org/apache/cassandra/stress/settings/SettingsTransport.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java index 0c84bd741655..a753cdd7e697 100644 --- a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java +++ b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java @@ -89,7 +89,7 @@ static class TOptions extends GroupedOptions implements Serializable final OptionSimple protocol = new OptionSimple("ssl-protocol=", ".*", "TLS", "SSL: connection protocol to use", false); final OptionSimple alg = new OptionSimple("ssl-alg=", ".*", null, "SSL: algorithm", false); final OptionSimple ciphers = new OptionSimple("ssl-ciphers=", ".*", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "", "SSL: comma delimited list of encryption suites to use", false); @Override From 8cd2beb6d93a3d7788ec2b13fa3dc415acf2777f Mon Sep 17 00:00:00 2001 From: Rishabh Saraswat Date: Mon, 1 Dec 2025 23:24:45 +0530 Subject: [PATCH 4/7] Add comment explaining auto-negotiation default --- .../org/apache/cassandra/stress/settings/SettingsTransport.java | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java index a753cdd7e697..c03594efe1f7 100644 --- a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java +++ b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java @@ -88,6 +88,7 @@ static class TOptions extends GroupedOptions implements Serializable TRANSPORT_KEYSTORE_PASSWORD_PROPERTY_KEY), false); final OptionSimple protocol = new OptionSimple("ssl-protocol=", ".*", "TLS", "SSL: connection protocol to use", false); final OptionSimple alg = new OptionSimple("ssl-alg=", ".*", null, "SSL: algorithm", false); + // Default is to auto-negotiate final OptionSimple ciphers = new OptionSimple("ssl-ciphers=", ".*", "", "SSL: comma delimited list of encryption suites to use", false); From d4704b6e69c68088e6edcd53385c37ed0ef8ecb5 Mon Sep 17 00:00:00 2001 From: Rishabh Saraswat Date: Mon, 1 Dec 2025 23:37:50 +0530 Subject: [PATCH 5/7] Update default cipher value to null for auto-negotiation --- .../apache/cassandra/stress/settings/SettingsTransport.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java index c03594efe1f7..48e5b2fe17a7 100644 --- a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java +++ b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java @@ -88,9 +88,9 @@ static class TOptions extends GroupedOptions implements Serializable TRANSPORT_KEYSTORE_PASSWORD_PROPERTY_KEY), false); final OptionSimple protocol = new OptionSimple("ssl-protocol=", ".*", "TLS", "SSL: connection protocol to use", false); final OptionSimple alg = new OptionSimple("ssl-alg=", ".*", null, "SSL: algorithm", false); - // Default is to auto-negotiate + // Null is to auto-negotiate final OptionSimple ciphers = new OptionSimple("ssl-ciphers=", ".*", - "", + null, "SSL: comma delimited list of encryption suites to use", false); @Override From 88d3e312095322746b0d4bce1009e6bbafba5814 Mon Sep 17 00:00:00 2001 From: Rishabh Saraswat Date: Mon, 15 Dec 2025 09:50:56 +0530 Subject: [PATCH 6/7] Refactor cipher suites handling in SettingsTransport --- .../apache/cassandra/stress/settings/SettingsTransport.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java index 48e5b2fe17a7..ac0f874ffb20 100644 --- a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java +++ b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java @@ -54,8 +54,10 @@ public EncryptionOptions.ClientEncryptionOptions getEncryptionOptions() .withTrustStore(options.trustStore.value()) .withTrustStorePassword(options.trustStorePw.setByUser() ? options.trustStorePw.value() : credentials.transportTruststorePassword) .withAlgorithm(options.alg.value()) - .withProtocol(options.protocol.value()) - .withCipherSuites(options.ciphers.value().split(",")); + .withProtocol(options.protocol.value()); + + if (options.ciphers.value() != null) + encOptionsBuilder.withCipherSuites(options.ciphers.value().split(",")); if (options.keyStore.present()) { From 53a3f35992bb073d58540c9be620330b867e4cff Mon Sep 17 00:00:00 2001 From: Rishabh Saraswat Date: Tue, 16 Dec 2025 00:03:50 +0530 Subject: [PATCH 7/7] Update tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java with proper indentations Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../apache/cassandra/stress/settings/SettingsTransport.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java index ac0f874ffb20..65039bdf80d1 100644 --- a/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java +++ b/tools/stress/src/org/apache/cassandra/stress/settings/SettingsTransport.java @@ -56,8 +56,8 @@ public EncryptionOptions.ClientEncryptionOptions getEncryptionOptions() .withAlgorithm(options.alg.value()) .withProtocol(options.protocol.value()); - if (options.ciphers.value() != null) - encOptionsBuilder.withCipherSuites(options.ciphers.value().split(",")); + if (options.ciphers.value() != null) + encOptionsBuilder.withCipherSuites(options.ciphers.value().split(",")); if (options.keyStore.present()) {