You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Jeremy Hanna (JIRA)" <ji...@apache.org> on 2018/03/20 09:44:00 UTC
[jira] [Updated] (CASSANDRA-14295) no ssl hostname validation in
cqlsh
[ https://issues.apache.org/jira/browse/CASSANDRA-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeremy Hanna updated CASSANDRA-14295:
-------------------------------------
Labels: Security (was: )
> no ssl hostname validation in cqlsh
> -----------------------------------
>
> Key: CASSANDRA-14295
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14295
> Project: Cassandra
> Issue Type: Bug
> Reporter: Christian Becker
> Priority: Major
> Labels: Security
>
> In order to validate certificates properly the python driver requires {{check_hostname}} to be set.
> [https://github.com/datastax/python-driver/blob/master/cassandra/cluster.py#L558-L562]
> However it is not available as a setting in cqlsh:
> [https://github.com/apache/cassandra/blob/trunk/pylib/cqlshlib/sslhandling.py#L86-L89]
> I noticed this because cqlsh is connecting to 127.0.0.1 per default, but the configured certificate is just containing the hostname and the local ip. The connection was always successful. But when adding {{check_hostname}} to {{cqlshlib/sslhandling.py}} the validation works as expected:
> current behaviour:
> {code:java}
> # cqlsh --ssl
> Connected to ****-cassandra at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4]
> Use HELP for help.
> ****@cqlsh>{code}
> expected:
> {code:java}
> # cqlsh --ssl
> Connection error: ('Unable to connect to any servers', {'127.0.0.1': CertificateError("hostname '127.0.0.1' doesn't match '****'",)}){code}
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org