Problem

- How to make cassandra accepting only TLSv1.2 for the node to node and client to node connections?

Resolution

-- There are 2 solutions for this:

- First would be by configuring the cipher_suites parameter of the

server_encryption_options (for inter node communication) and

client_encryption_options (for communication from client to cassandra)

to use some cipher suites that are only available in TLS 1.2:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ...

You can have a look at the openssl ciphers manpage to have a list of these cipher suites: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

- Second would be to disable TLSv1.0 and TLSv1.1 at the JRE level.

In the jre folder configured to be use by cassandra, edit the file

jre/lib/security/java.security and add the TLSv1 and TLSv1.1 protocols

to the jdk.tls.disabledAlgorithms,as example:

jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1, TLSv1.1

Restart cassandra to apply the change.

(mind this will affect all Java programs using this JRE installation).