You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Tyler Hobbs (JIRA)" <ji...@apache.org> on 2015/05/26 17:02:20 UTC
[jira] [Commented] (CASSANDRA-9220) Hostname verification for
node-to-node encryption
[ https://issues.apache.org/jira/browse/CASSANDRA-9220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14559209#comment-14559209 ]
Tyler Hobbs commented on CASSANDRA-9220:
----------------------------------------
There are a couple of problems with this on the python side (which means cqlsh is affected).
First, the {{match_hostname()}} function is only available in Python 3.2+, and probably 95% of users are running Python 2. However, there is a [backport|https://pypi.python.org/pypi/backports.ssl_match_hostname] of this to Python 2, so we could potentially bundle this with cqlsh (need to look into the license compatibility).
The second problem is that {{match_hostname()}} doesn't support IP addresses. This isn't a problem for hosts that are explicitly connected to, because you can easily provide a hostname. However, when other nodes are discovered through {{system.peers}}, we'll only have an IP address, not a hostname. I'm not sure what the best fix is here.
Although I would prefer not to have these problems, I don't think they're blockers for committing this. Hostname verification would be nice even if it's not supported by cqlsh in most cases. cqlsh would still continue to function, it just wouldn't have the full level of security.
> Hostname verification for node-to-node encryption
> -------------------------------------------------
>
> Key: CASSANDRA-9220
> URL: https://issues.apache.org/jira/browse/CASSANDRA-9220
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Stefan Podkowinski
> Assignee: Stefan Podkowinski
> Fix For: 3.x
>
> Attachments: sslhostverification-2.0.patch
>
>
> This patch will will introduce a new ssl server option: {{require_endpoint_verification}}.
> Setting it will enable hostname verification for inter-node SSL communication. This is necessary to prevent man-in-the-middle attacks when building a trust chain against a common CA. See [here|https://tersesystems.com/2014/03/23/fixing-hostname-verification/] for background details.
> Clusters that solely rely on importing all node certificates into each trust store (as described [here|http://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html]) are not effected.
> Clusters that use the same common CA to sign node certificates are potentially affected. In case the CA signing process will allow other parties to generate certs for different purposes, those certificates could in turn be used for MITM attacks. The provided patch will allow to enable hostname verification to make sure not only to check if the cert is valid but also if it has been created for the host that we're about to connect.
> Corresponding dtest: [Test for CASSANDRA-9220|https://github.com/riptano/cassandra-dtest/pull/237]
> Github:
> 2.0 -> [diff|https://github.com/apache/cassandra/compare/cassandra-2.0...spodkowinski:feat/sslhostverification], [patch|https://github.com/apache/cassandra/compare/cassandra-2.0...spodkowinski:feat/sslhostverification.patch],
> Trunk -> [diff|https://github.com/apache/cassandra/compare/trunk...spodkowinski:feat/sslhostverification], [patch|https://github.com/apache/cassandra/compare/trunk...spodkowinski:feat/sslhostverification.patch]
> Related patches from the client perspective: [Java|https://datastax-oss.atlassian.net/browse/JAVA-716], [Python|https://datastax-oss.atlassian.net/browse/PYTHON-296]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)