Closed jeremymv2 closed 3 years ago
Hold on review please. I'm going to implement this slightly differently.
Pushed up changes. Ready for review now.
@jeremymv2 Thank you! I manually merged the patch in d742d5c with one functional change: renaming the Host and Cluster options from encryption_protocol
to ssl_protocol
.
Also noting here that https://github.com/thibaultcha/lua-resty-socket should receive this patch as well, although I do not recall if Kong itself indirectly depends on it or not.
I'll try to push a v1.5.1 lua-cassandra in the next couple days. Thanks again!
Allows changing the TLS encryption version.
The underlying luasec library allows for setting the encryption protocol to 'any' [1]. When set as such, the client negotiates the highest encryption protocol available. This
any
protocol version setting is widely in use in the luasec repository [2].In my testing, when
any
is set, it resulted in TLSv1.2 being utilized for the conneciton. While I expected TLSv1.3 to be utilized, after some research, I discovered that JDK 8 has had TLSv1.3 support backported to it but TLSv1.3 is not enabled by default and requires extra configuration when starting the JVM [3]. Thus in practice TLSv1.3 probably wouldn't be enabled very often for Cassandra until a later version of JDK is supported.Partially implements #106
[1] - https://github.com/brunoos/luasec/blob/711a98b7605ad87b521ba607024947113bc1f527/CHANGELOG#L101 [2] - https://github.com/brunoos/luasec/search?q=protocol+%3D+%22any%22 [3] - https://www.oracle.com/java/technologies/javase/8u261-relnotes.html#JDK-8145252
Signed-off-by: Jeremy J. Miller jeremy.miller@konghq.com