You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Matthias Brandt (JIRA)" <ji...@apache.org> on 2016/01/06 18:48:39 UTC
[jira] [Updated] (CASSANDRA-10970) SSL/TLS: Certificate Domain is
ignored
[ https://issues.apache.org/jira/browse/CASSANDRA-10970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matthias Brandt updated CASSANDRA-10970:
----------------------------------------
Description:
I've set up server_encryption_options as well as client_encryption_options. In both settings, I use the same keystore with an wild-card SSL certificate in it. It is signed by our own CA, which root certificate is in the configured truststore:
{code}
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/conf/wildcard-cert.keystore
keystore_password: ""
truststore: /etc/cassandra/conf/my-cacerts
truststore_password: changeit
require_client_auth: true
client_encryption_options:
enabled: true
keystore: /etc/cassandra/conf/wildcard-cert.keystore
keystore_password: ""
require_client_auth: false
{code}
The certifcate's subject is:
{code}CN=*.my.domain.com,OU=my unit,O=my org{code}
When I deploy this setting on a server which domain is node1.my.*other-domain*.com a connection via cqlsh wrongly works. Additionally, the inter-node connection between other nodes in this wrong domain also works.
I would expect that the connection would fail with a meaningful error message.
was:
I've set up server_encryption_options as well as client_encryption_options. In both settings, I use the same keystore with an wild-card SSL certificate in it. It is signed by our own CA, which root certificate is in the configured truststore:
{code}
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/conf/wildcard-cert.keystore
keystore_password: ""
truststore: /etc/cassandra/conf/hpo-cacerts
truststore_password: changeit
require_client_auth: true
client_encryption_options:
enabled: true
keystore: /etc/cassandra/conf/wildcard-cert.keystore
keystore_password: ""
require_client_auth: false
{code}
The certifcate's subject is:
{code}CN=*.my.domain.com,OU=my unit,O=my org{code}
When I deploy this setting on a server which domain is node1.my.*other-domain*.com a connection via cqlsh wrongly works. Additionally, the inter-node connection between other nodes in this wrong domain also works.
I would expect that the connection would fail with a meaningful error message.
> SSL/TLS: Certificate Domain is ignored
> --------------------------------------
>
> Key: CASSANDRA-10970
> URL: https://issues.apache.org/jira/browse/CASSANDRA-10970
> Project: Cassandra
> Issue Type: Bug
> Reporter: Matthias Brandt
>
> I've set up server_encryption_options as well as client_encryption_options. In both settings, I use the same keystore with an wild-card SSL certificate in it. It is signed by our own CA, which root certificate is in the configured truststore:
> {code}
> server_encryption_options:
> internode_encryption: all
> keystore: /etc/cassandra/conf/wildcard-cert.keystore
> keystore_password: ""
> truststore: /etc/cassandra/conf/my-cacerts
> truststore_password: changeit
> require_client_auth: true
> client_encryption_options:
> enabled: true
> keystore: /etc/cassandra/conf/wildcard-cert.keystore
> keystore_password: ""
> require_client_auth: false
> {code}
> The certifcate's subject is:
> {code}CN=*.my.domain.com,OU=my unit,O=my org{code}
> When I deploy this setting on a server which domain is node1.my.*other-domain*.com a connection via cqlsh wrongly works. Additionally, the inter-node connection between other nodes in this wrong domain also works.
> I would expect that the connection would fail with a meaningful error message.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)