Documentation

Updates to Cipher Suites for Cassandra version 4 and above Clusters

At NetApp Instaclustr, we are continually working towards compliance with additional security standards and conducting regular risk reviews. To ensure enhanced security, we now support a carefully selected set of usable ciphers on the Instaclustr Managed Platform for connecting to Cassandra 4 and above clusters with client encryption enabled.

Cassandra clusters on version 4 and above are allow the use the following cipher suites for clusters with Client Encryption enabled:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

With the transition of Cassandra version 3.0 and 3.11 towards the end of life, this change is an important pre-requisite for all customers upgrading to Cassandra 4 and above.

Why have we done this?

Utilizing a weak cipher suite can result in a range of security risks, which can include the potential for exploitation of vulnerabilities present within the cipher algorithms or the compromise of the encryption itself, leading to data breaches and unauthorized access. The above allowed cipher suites have been selected based on our improving security posture and compliance requirements. As a result, the reduced cipher suite list will simplify both client and cluster configuration and minimizes the chance of misconfigurations that could expose systems to vulnerabilities due to the use of the weak ciphers. Adopting these stronger ciphers not only aligns with our best practices and compliance requirements but also strengthens the security posture for all users, regardless of their specific compliance needs.

Next Steps

We recommended the following actions for Customers in preparation for requesting a Major Version Upgrade from Cassandra 3 to Cassandra 4, for clusters with Client Encryption enabled:

Review the list of ciphers in use by your client applications. See below for examples of how to review this list on some client drivers.

Update your clients to explicitly connect to the managed clusters using the 2 ciphers list above.

Clients built on the Apache Cassandra Java driver version 4 would need to update the application.conf file to restrict the ciphers used. e.g.

datastax-java-driver { 
  basic.contact-points = [ 
    "<contact point 1>", "<contact point 2>", "<contact point 3>" 
  ] 

  advanced.ssl-engine-factory { 
    class = DefaultSslEngineFactory 
    cipher-suites = [ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", " TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ] 
    truststore-path = /path/to/client/truststore.jks 
  } 
}

datastax-java-driver {

basic.contact-points = [

"<contact point 1>", "<contact point 2>", "<contact point 3>"

]

advanced.ssl-engine-factory {

class = DefaultSslEngineFactory

cipher-suites = [ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", " TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ]

truststore-path = /path/to/client/truststore.jks

}

Clients built on the Datastax Apache Cassandra Python driver can create a custom SSLContext that uses the 2 ciphers e.g.

ssl_context = SSLContext(PROTOCOL_TLSv1_2) ssl_context.set_ciphers('TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256')

1
2

ssl_context = SSLContext(PROTOCOL_TLSv1_2)
ssl_context.set_ciphers('TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256')
If you are not using any of the above listed drivers, we recommend reviewing the documentation provided by the driver used to understand how to configure your client application to use the 2 specified ciphers.

Roll out the updates on your client application.

After this point the Instaclustr support team can begin the Major Version Upgrade on your Cassandra 3 Clusters.

Summary

We understand that testing and changing systems is a time-consuming process. At NetApp Instaclustr, we follow a meticulous approach during major version upgrades ensuring that clients can maintain connectivity to the cluster throughout each phase of the upgrade, and we have established rollback mechanisms in place should any connectivity issues or other issues arise.

If you have any questions or concerns, please do not hesitate to contact us at [email protected].

Other Related Announcements

With the release of Cassandra 5, Cassandra 3 will soon end of life on the Instaclustr platform. Please refer to our lifecycle policy update in the Cassandra 5 GA release announcement here.
If you are using Cassandra 3, you must upgrade to Cassandra 4 before moving on to Cassandra 5. To understand why, check out our blog, “Top 5 Questions We’re Asked About Apache Cassandra® 5.0.“

By Instaclustr Support

Previous Article Apache Cassandra Next Article Security Advisory – Cassandra Lucene Index – CVE-2025-26511

Need Support?

Learn More

Experiencing difficulties on the website or console?

Status page for known incidents

Already have an account?

Need help with your cluster?

Contact Support

Why sign up?

To experience the ease of creating and managing clusters via the Instaclustr Console

Spin up a cluster in minutes

Free Trial