You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "John Sanda (JIRA)" <ji...@apache.org> on 2019/05/21 01:19:00 UTC
[jira] [Updated] (CASSANDRA-15132) one-way TLS authentication for
client encryption is broken
[ https://issues.apache.org/jira/browse/CASSANDRA-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Sanda updated CASSANDRA-15132:
-----------------------------------
Description:
CASSANDRA-14652 caused a regression for client/native transport encryption. It broken one-way TLS authentication where only the client authenticates the coordinator node's certificate chain. This would be configured in cassandra.yaml as such:
{noformat}
client_encryption_options:
enabled: true
keystore: /path/to/keystore
keystore_password: my_keystore_password
optional: false
require_client_auth: false
{noformat}
With the changes in CASSANDRA-14652, ServerConnection.java always assumes that there will always be a client certificate chain, which will not be the case with the above configuration.
Here is the error that shows up in the logs:
{noformat}
ERROR [Native-Transport-Requests-1] 2019-05-17 18:20:20,016 ServerConnection.java:147 - Failed to get peer certificates for peer /127.0.0.1:50736
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:501) ~[na:1.8.0_202]
at org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:143) [main/:na]
at org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:127) [main/:na]
at org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:75) [main/:na]
at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:566) [main/:na]
at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:35) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:348) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_202]
at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na]
{noformat}
was:
CASSANDRA-14652 caused a regression for client/native transport encryption. It broken one-way TLS authentication where only the client authenticates the coordinator node's certificate chain. This would be configured in cassandra.yaml as such:
{noformat}
client_encryption_options:
enabled: true
keystore: /path/to/keystore
keystore_password: my_keystore_password
optional: false
require_client_auth: false
{noformat}
With the changes in CASSANDRA-14652, ServerConnection.java always assumes that there will always be a client certificate chain, which will not be the case with the above configuration.
> one-way TLS authentication for client encryption is broken
> ----------------------------------------------------------
>
> Key: CASSANDRA-15132
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15132
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/Encryption
> Reporter: John Sanda
> Priority: Normal
>
> CASSANDRA-14652 caused a regression for client/native transport encryption. It broken one-way TLS authentication where only the client authenticates the coordinator node's certificate chain. This would be configured in cassandra.yaml as such:
> {noformat}
> client_encryption_options:
> enabled: true
> keystore: /path/to/keystore
> keystore_password: my_keystore_password
> optional: false
> require_client_auth: false
> {noformat}
> With the changes in CASSANDRA-14652, ServerConnection.java always assumes that there will always be a client certificate chain, which will not be the case with the above configuration.
> Here is the error that shows up in the logs:
> {noformat}
> ERROR [Native-Transport-Requests-1] 2019-05-17 18:20:20,016 ServerConnection.java:147 - Failed to get peer certificates for peer /127.0.0.1:50736
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:501) ~[na:1.8.0_202]
> at org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:143) [main/:na]
> at org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:127) [main/:na]
> at org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:75) [main/:na]
> at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:566) [main/:na]
> at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na]
> at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:35) [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:348) [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_202]
> at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na]
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org