You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Michael Shuler (JIRA)" <ji...@apache.org> on 2016/01/06 18:43:39 UTC
[jira] [Commented] (CASSANDRA-10970) SSL/TLS: Certificate Domain is
ignored
[ https://issues.apache.org/jira/browse/CASSANDRA-10970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15085916#comment-15085916 ]
Michael Shuler commented on CASSANDRA-10970:
--------------------------------------------
bq. When I deploy this setting on a server which domain is node1.my.other-domain.com a connection via cqlsh wrongly works. Additionally, the inter-node connection between other nodes in this wrong domain also works.
Are you saying the system hostname of the server(s) is some other domain? That should be fine. An SSL example where this is expected to work:
{noformat}
mshuler@hana:~$ host www.google.com | head -1
www.google.com has address 74.125.22.105
mshuler@hana:~$ host 74.125.22.105
105.22.125.74.in-addr.arpa domain name pointer qh-in-f105.1e100.net.
{noformat}
An SSL/TLS connection to https://www.google.com/ is really coming from the host {{qh-in-f105.1e100.net}}, but the httpd service at that host describes itself as {{www.google.com}} and provides a certificate for the same, even though the host is really from the {{1e100.net}} domain.
Am I following your comment correctly? I think your desire to have this connection fail is possibly incorrect. You provided a certificate, it validated from your local CA, so the connections succeed, as expected.
> SSL/TLS: Certificate Domain is ignored
> --------------------------------------
>
> Key: CASSANDRA-10970
> URL: https://issues.apache.org/jira/browse/CASSANDRA-10970
> Project: Cassandra
> Issue Type: Bug
> Reporter: Matthias Brandt
>
> I've set up server_encryption_options as well as client_encryption_options. In both settings, I use the same keystore with an wild-card SSL certificate in it. It is signed by our own CA, which root certificate is in the configured truststore:
> {code}
> server_encryption_options:
> internode_encryption: all
> keystore: /etc/cassandra/conf/wildcard-cert.keystore
> keystore_password: ""
> truststore: /etc/cassandra/conf/hpo-cacerts
> truststore_password: changeit
> require_client_auth: true
> client_encryption_options:
> enabled: true
> keystore: /etc/cassandra/conf/wildcard-cert.keystore
> keystore_password: ""
> require_client_auth: false
> {code}
> The certifcate's subject is:
> {code}CN=*.my.domain.com,OU=my unit,O=my org{code}
> When I deploy this setting on a server which domain is node1.my.*other-domain*.com a connection via cqlsh wrongly works. Additionally, the inter-node connection between other nodes in this wrong domain also works.
> I would expect that the connection would fail with a meaningful error message.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)