You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by br...@apache.org on 2014/07/10 19:11:02 UTC
[02/10] git commit: Warn when SSL certs have expired.
Warn when SSL certs have expired.
Patch by brandonwilliams, reviewed by jasobrown for CASSANDRA-7528
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/11351e3c
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/11351e3c
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/11351e3c
Branch: refs/heads/cassandra-2.1.0
Commit: 11351e3c0dd20e60e1f21be6cfa966377a999f83
Parents: 6893130
Author: Brandon Williams <br...@apache.org>
Authored: Thu Jul 10 12:08:58 2014 -0500
Committer: Brandon Williams <br...@apache.org>
Committed: Thu Jul 10 12:08:58 2014 -0500
----------------------------------------------------------------------
CHANGES.txt | 1 +
.../apache/cassandra/security/SSLFactory.java | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cassandra/blob/11351e3c/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index 3553e4a..6b4e44b 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
2.0.10
+ * Warn when SSL certificates have expired (CASSANDRA-7528)
* Workaround JVM NPE on JMX bind failure (CASSANDRA-7254)
* Fix race in FileCacheService RemovalListener (CASSANDRA-7278)
* Fix inconsistent use of consistencyForCommit that allowed LOCAL_QUORUM
http://git-wip-us.apache.org/repos/asf/cassandra/blob/11351e3c/src/java/org/apache/cassandra/security/SSLFactory.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java
index 73edc05..3cb0670 100644
--- a/src/java/org/apache/cassandra/security/SSLFactory.java
+++ b/src/java/org/apache/cassandra/security/SSLFactory.java
@@ -23,6 +23,9 @@ import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Enumeration;
import java.util.Set;
import javax.net.ssl.KeyManagerFactory;
@@ -48,6 +51,8 @@ public final class SSLFactory
{
private static final Logger logger = LoggerFactory.getLogger(SSLFactory.class);
+ private static boolean checkedExpiry = false;
+
public static SSLServerSocket getServerSocket(EncryptionOptions options, InetAddress address, int port) throws IOException
{
SSLContext ctx = createSSLContext(options, true);
@@ -114,6 +119,20 @@ public final class SSLFactory
KeyManagerFactory kmf = KeyManagerFactory.getInstance(options.algorithm);
KeyStore ks = KeyStore.getInstance(options.store_type);
ks.load(ksf, options.keystore_password.toCharArray());
+ if (!checkedExpiry)
+ {
+ for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements(); )
+ {
+ String alias = aliases.nextElement();
+ if (ks.getCertificate(alias).getType().equals("X.509"))
+ {
+ Date expires = ((X509Certificate) ks.getCertificate(alias)).getNotAfter();
+ if (expires.before(new Date()))
+ logger.warn("Certificate for {} expired on {}", alias, expires);
+ }
+ }
+ checkedExpiry = true;
+ }
kmf.init(ks, options.keystore_password.toCharArray());
ctx.init(kmf.getKeyManagers(), trustManagers, null);