You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by sn...@apache.org on 2016/03/28 13:03:45 UTC
cassandra git commit: Hostname verification for node-to-node
encryption
Repository: cassandra
Updated Branches:
refs/heads/trunk b6ff7f6c0 -> c9c9c4226
Hostname verification for node-to-node encryption
patch by Stefan Podkowinski; reviewed by Robert Stupp for CASSANDRA-9220
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/c9c9c422
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/c9c9c422
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/c9c9c422
Branch: refs/heads/trunk
Commit: c9c9c42263f1d477e45e9c2053bc1bbedc08bf8e
Parents: b6ff7f6
Author: Stefan Podkowinski <ji...@midnightdrift.com>
Authored: Mon Mar 28 13:02:50 2016 +0200
Committer: Robert Stupp <sn...@snazy.de>
Committed: Mon Mar 28 13:02:50 2016 +0200
----------------------------------------------------------------------
CHANGES.txt | 1 +
conf/cassandra.yaml | 1 +
.../cassandra/config/EncryptionOptions.java | 1 +
.../apache/cassandra/security/SSLFactory.java | 40 ++++++++++++++++----
4 files changed, 35 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cassandra/blob/c9c9c422/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index 1a548d7..b80fdf3 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
3.6
+ * Add require_endpoint_verification opt for internode encryption (CASSANDRA-9220)
* Add auto import java.util for UDF code block (CASSANDRA-11392)
* Add --hex-format option to nodetool getsstables (CASSANDRA-11337)
* sstablemetadata should print sstable min/max token (CASSANDRA-7159)
http://git-wip-us.apache.org/repos/asf/cassandra/blob/c9c9c422/conf/cassandra.yaml
----------------------------------------------------------------------
diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
index 9883533..4abe96e 100644
--- a/conf/cassandra.yaml
+++ b/conf/cassandra.yaml
@@ -906,6 +906,7 @@ server_encryption_options:
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
# require_client_auth: false
+ # require_endpoint_verification: false
# enable or disable client/server encryption.
client_encryption_options:
http://git-wip-us.apache.org/repos/asf/cassandra/blob/c9c9c422/src/java/org/apache/cassandra/config/EncryptionOptions.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java
index 526e356..d662871 100644
--- a/src/java/org/apache/cassandra/config/EncryptionOptions.java
+++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java
@@ -30,6 +30,7 @@ public abstract class EncryptionOptions
public String algorithm = "SunX509";
public String store_type = "JKS";
public boolean require_client_auth = false;
+ public boolean require_endpoint_verification = false;
public static class ClientEncryptionOptions extends EncryptionOptions
{
http://git-wip-us.apache.org/repos/asf/cassandra/blob/c9c9c422/src/java/org/apache/cassandra/security/SSLFactory.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java
index bef4a60..2e59b06 100644
--- a/src/java/org/apache/cassandra/security/SSLFactory.java
+++ b/src/java/org/apache/cassandra/security/SSLFactory.java
@@ -31,6 +31,7 @@ import java.util.List;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
@@ -60,10 +61,9 @@ public final class SSLFactory
SSLContext ctx = createSSLContext(options, true);
SSLServerSocket serverSocket = (SSLServerSocket)ctx.getServerSocketFactory().createServerSocket();
serverSocket.setReuseAddress(true);
- String[] suites = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites);
- serverSocket.setEnabledCipherSuites(suites);
- serverSocket.setNeedClientAuth(options.require_client_auth);
+ prepareSocket(serverSocket, options);
serverSocket.bind(new InetSocketAddress(address, port), 500);
+
return serverSocket;
}
@@ -72,8 +72,7 @@ public final class SSLFactory
{
SSLContext ctx = createSSLContext(options, true);
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port, localAddress, localPort);
- String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
- socket.setEnabledCipherSuites(suites);
+ prepareSocket(socket, options);
return socket;
}
@@ -82,8 +81,7 @@ public final class SSLFactory
{
SSLContext ctx = createSSLContext(options, true);
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port);
- String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
- socket.setEnabledCipherSuites(suites);
+ prepareSocket(socket, options);
return socket;
}
@@ -92,9 +90,35 @@ public final class SSLFactory
{
SSLContext ctx = createSSLContext(options, true);
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket();
+ prepareSocket(socket, options);
+ return socket;
+ }
+
+ /** Sets relevant socket options specified in encryption settings */
+ private static void prepareSocket(SSLServerSocket serverSocket, EncryptionOptions options)
+ {
+ String[] suites = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites);
+ if(options.require_endpoint_verification)
+ {
+ SSLParameters sslParameters = serverSocket.getSSLParameters();
+ sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+ serverSocket.setSSLParameters(sslParameters);
+ }
+ serverSocket.setEnabledCipherSuites(suites);
+ serverSocket.setNeedClientAuth(options.require_client_auth);
+ }
+
+ /** Sets relevant socket options specified in encryption settings */
+ private static void prepareSocket(SSLSocket socket, EncryptionOptions options)
+ {
String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites);
+ if(options.require_endpoint_verification)
+ {
+ SSLParameters sslParameters = socket.getSSLParameters();
+ sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+ socket.setSSLParameters(sslParameters);
+ }
socket.setEnabledCipherSuites(suites);
- return socket;
}
@SuppressWarnings("resource")