You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "John Sanda (JIRA)" <ji...@apache.org> on 2019/06/19 19:15:00 UTC
[jira] [Commented] (CASSANDRA-15132) warning should not be logged
when client auth is disabled for client encryption
[ https://issues.apache.org/jira/browse/CASSANDRA-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16867922#comment-16867922 ]
John Sanda commented on CASSANDRA-15132:
----------------------------------------
I went back and looked at this again. I think it would better to reduce the logging level to DEBUG or altogether remove the log statement instead of the check that I added in my branch.
[~djoshi3] what do you think?
> warning should not be logged when client auth is disabled for client encryption
> -------------------------------------------------------------------------------
>
> Key: CASSANDRA-15132
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15132
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/Encryption
> Reporter: John Sanda
> Priority: Normal
>
> CASSANDRA-14652 caused a regression for client/native transport encryption. It broken one-way TLS authentication where only the client authenticates the coordinator node's certificate chain. This would be configured in cassandra.yaml as such:
> {noformat}
> client_encryption_options:
> enabled: true
> keystore: /path/to/keystore
> keystore_password: my_keystore_password
> optional: false
> require_client_auth: false
> {noformat}
> With the changes in CASSANDRA-14652, ServerConnection.java always assumes that there will always be a client certificate chain, which will not be the case with the above configuration.
> Here is the error that shows up in the logs:
> {noformat}
> ERROR [Native-Transport-Requests-1] 2019-05-17 18:20:20,016 ServerConnection.java:147 - Failed to get peer certificates for peer /127.0.0.1:50736
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:501) ~[na:1.8.0_202]
> at org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:143) [main/:na]
> at org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:127) [main/:na]
> at org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:75) [main/:na]
> at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:566) [main/:na]
> at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na]
> at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:35) [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:348) [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_202]
> at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na]
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org