Datastax Cassandra - Cqlsh with SSL not working


Author: Vittorio Cozzolino

Originally Sourced from: https://stackoverflow.com/questions/36917014/datastax-cassandra-cqlsh-with-ssl-not-working

I've installed a single-node Datastax Cassandra v3.5 cluster on my Ubuntu machine. I'm trying to connect to the node using the command-line interface cqlsh using the SSL option without success (from the same machine). The steps I followed are:

  • Prepared the .keystore, .cer certificate and .truststore following this guide http://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html
  • Modified my cassandra.yaml accordingly:

    client_encryption_options: enabled: true optional: false keystore: /************************/.keystore keystore_password: ************************ require_client_auth: false # Set trustore and truststore_password if require_client_auth is true truststore: /************************/.truststore truststore_password: ************************

  • Created a cqlshrc conf file and filled it following this guide https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureCqlshSSL_t.html :

    [connection] hostname = ***** port = 9042 factory = cqlshlib.ssl.ssl_transport_factory [ssl] certfile = /home/conf/mycert.cer validate = true ## Optional, true by default

So basically I created a private and public key, pointed Cassandra to my .keystore and .truststore (even tho I don't think it's necessary because I'm not enforcing the client auth) and cqlsh to the public key (certificate).

Whenever I try to launch cqlsh --ssl I get always the same error and not a single debug message inside Cassandra. The error message is:

Connection error: ('Unable to connect to any servers', {'*.*****.******': error(0, "Tried connecting to [('..*.***', 9042)]. Last error: _ssl.c:344:error:00000000:lib(0):func(0):reason(0)")})

Just a side note, if I remove SSL authentication everything works perfectly.

EDIT

I've solved my initial issue following @Adam Holmberg suggestion but still no luck with the SSL connection. I checked that I have JCE libraries installed and I've been trying to enforce cqslh to use SSLv23 or TLSv1 to establish the connection to the Cassandra server but I receive the following error all the times:

Connection error: ('Unable to connect to any servers', ... ... ... Last error: _ssl.c:510: EOF occurred in violation of protocol")})

Moreover, I've also added the JVM option -Djavax.net.debug=all to no avail, I don't see any additional log about ssl.