Disable Truststore CA check for internode_encryption

[Jai Bheemsen Rao Dhanwada <ja...@gmail.com>]

Hello,

Is it possible to disable truststore CA check for the cassandra
internode_encyrption? if yes, is there a config property to do that?

Re: Disable Truststore CA check for internode_encryption

[Dinesh Joshi <dj...@icloud.com.INVALID>]

> On Feb 27, 2019, at 4:20 PM, Jai Bheemsen Rao Dhanwada <ja...@gmail.com> wrote:
> 
> I am trying to setup 1-way SSL, basically I am trying to use the SSL options only for the encrypt the data on the wire and trust everyone who is connecting to me.
> 

It *might* be possible with a custom truststore but to the best of my knowledge Cassandra doesn't provide what you want out of the box.

Dinesh


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org

Re: Disable Truststore CA check for internode_encryption

[Jai Bheemsen Rao Dhanwada <ja...@gmail.com>]

I am trying to setup 1-way SSL, basically I am trying to use the SSL
options only for the encrypt the data on the wire and trust everyone who is
connecting to me.

On Wed, Feb 27, 2019 at 4:18 PM Kenneth Brotman
<ke...@yahoo.com.invalid> wrote:

> Hello,
>
>
>
> Why would you want to do that?
>
>
>
> *From:* Jai Bheemsen Rao Dhanwada [mailto:jaibheemsen@gmail.com]
> *Sent:* Wednesday, February 27, 2019 3:57 PM
> *To:* user@cassandra.apache.org
> *Subject:* Disable Truststore CA check for internode_encryption
>
>
>
> Hello,
>
>
>
> Is it possible to disable truststore CA check for the cassandra
> internode_encyrption? if yes, is there a config property to do that?
>

RE: Disable Truststore CA check for internode_encryption

[Kenneth Brotman <ke...@yahoo.com.INVALID>]

Hello,

 

Why would you want to do that?  

 

From: Jai Bheemsen Rao Dhanwada [mailto:jaibheemsen@gmail.com] 
Sent: Wednesday, February 27, 2019 3:57 PM
To: user@cassandra.apache.org
Subject: Disable Truststore CA check for internode_encryption

 

Hello,

 

Is it possible to disable truststore CA check for the cassandra internode_encyrption? if yes, is there a config property to do that?

Re: Disable Truststore CA check for internode_encryption

[Jai Bheemsen Rao Dhanwada <ja...@gmail.com>]

sure, thanks



On Wed, Feb 27, 2019 at 11:08 PM Jeff Jirsa <jj...@gmail.com> wrote:

> That’s client to server - internode is different
>
> Don’t think it’s possible without code modifications - please opens JIRA
>
> --
> Jeff Jirsa
>
>
> > On Feb 27, 2019, at 10:21 PM, Hannu Kröger <hk...@gmail.com> wrote:
> >
> > Is server encryption option ”require_client_auth: false” what you are
> after?
> >
> > Hannu
> >
> >> Jai Bheemsen Rao Dhanwada <ja...@gmail.com> kirjoitti 28.2.2019
> kello 1.57:
> >>
> >> Hello,
> >>
> >> Is it possible to disable truststore CA check for the cassandra
> internode_encyrption? if yes, is there a config property to do that?
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> > For additional commands, e-mail: user-help@cassandra.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: user-help@cassandra.apache.org
>
>

Re: Disable Truststore CA check for internode_encryption

[Justin Cameron <ju...@instaclustr.com>]

require_client_auth enforces mutual (two-way) authentication. The default
(require_client_auth: false) is one-way - only the server certificate is
verified. I believe you want to disable SSL authentication altogether, as
Jeff mentioned I think you'd need to make code changes in order to do that.

If you use a public CA (like Let's Encrypt, Comodo, etc) to sign your
certificates then I think you may not need to provide a truststore to
clients, because their CA certificates should already be in Java's built-in
truststore. However, it may be difficult to find a CA that will issue a
certificate for a public IP address. I believe Let's Encrypt will only
issue certificates for DNS, not IP addresses.

On Thu, 28 Feb 2019 at 07:32, Jai Bheemsen Rao Dhanwada <
jaibheemsen@gmail.com> wrote:

> I see require_client_auth in the internode_encryption and the default
> value is false. but cassandra process expects a truststore and truststore
> password for the cassandra to startup.
>
> On Wed, Feb 27, 2019 at 11:25 PM Hannu Kröger <hk...@gmail.com> wrote:
>
>> I was using this as reference:
>> https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/configCassandra_yaml.html#configCassandra_yaml__SecurityProps
>>
>> And there I see “require client authentication” also in server options
>> ie. internode encryption.
>>
>> However I am not sure if this is what the OP is after.
>>
>> Hannu
>>
>> Jeff Jirsa <jj...@gmail.com> kirjoitti 28.2.2019 kello 9.01:
>>
>> That’s client to server - internode is different
>>
>> Don’t think it’s possible without code modifications - please opens JIRA
>>
>> --
>> Jeff Jirsa
>>
>>
>> On Feb 27, 2019, at 10:21 PM, Hannu Kröger <hk...@gmail.com> wrote:
>>
>>
>> Is server encryption option ”require_client_auth: false” what you are
>> after?
>>
>>
>> Hannu
>>
>>
>> Jai Bheemsen Rao Dhanwada <ja...@gmail.com> kirjoitti 28.2.2019
>> kello 1.57:
>>
>>
>> Hello,
>>
>>
>> Is it possible to disable truststore CA check for the cassandra
>> internode_encyrption? if yes, is there a config property to do that?
>>
>>
>> ---------------------------------------------------------------------
>>
>> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
>>
>> For additional commands, e-mail: user-help@cassandra.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
>> For additional commands, e-mail: user-help@cassandra.apache.org
>>
>>

-- 


*Justin Cameron**Senior Software Engineer*


<http://www.instaclustr.com/platform>


Read our latest technical blog posts here
<https://www.instaclustr.com/blog/>.


This email has been sent on behalf of Instaclustr Pty. Limited (Australia)
and Instaclustr Inc (USA).

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy
or disclose its content, but please reply to this email immediately and
highlight the error to the sender and then immediately delete the message.

Instaclustr values your privacy. Our privacy policy can be found at
https://www.instaclustr.com/company/policies/privacy-policy/

Re: Disable Truststore CA check for internode_encryption

[Jai Bheemsen Rao Dhanwada <ja...@gmail.com>]

I see require_client_auth in the internode_encryption and the default value
is false. but cassandra process expects a truststore and truststore
password for the cassandra to startup.

On Wed, Feb 27, 2019 at 11:25 PM Hannu Kröger <hk...@gmail.com> wrote:

> I was using this as reference:
> https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/configCassandra_yaml.html#configCassandra_yaml__SecurityProps
>
> And there I see “require client authentication” also in server options ie.
> internode encryption.
>
> However I am not sure if this is what the OP is after.
>
> Hannu
>
> Jeff Jirsa <jj...@gmail.com> kirjoitti 28.2.2019 kello 9.01:
>
> That’s client to server - internode is different
>
> Don’t think it’s possible without code modifications - please opens JIRA
>
> --
> Jeff Jirsa
>
>
> On Feb 27, 2019, at 10:21 PM, Hannu Kröger <hk...@gmail.com> wrote:
>
>
> Is server encryption option ”require_client_auth: false” what you are
> after?
>
>
> Hannu
>
>
> Jai Bheemsen Rao Dhanwada <ja...@gmail.com> kirjoitti 28.2.2019
> kello 1.57:
>
>
> Hello,
>
>
> Is it possible to disable truststore CA check for the cassandra
> internode_encyrption? if yes, is there a config property to do that?
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
>
> For additional commands, e-mail: user-help@cassandra.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: user-help@cassandra.apache.org
>
>

Re: Disable Truststore CA check for internode_encryption

[Hannu Kröger <hk...@gmail.com>]

I was using this as reference: https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/configCassandra_yaml.html#configCassandra_yaml__SecurityProps

And there I see “require client authentication” also in server options ie. internode encryption.

However I am not sure if this is what the OP is after. 

Hannu

> Jeff Jirsa <jj...@gmail.com> kirjoitti 28.2.2019 kello 9.01:
> 
> That’s client to server - internode is different
> 
> Don’t think it’s possible without code modifications - please opens JIRA
> 
> -- 
> Jeff Jirsa
> 
> 
>> On Feb 27, 2019, at 10:21 PM, Hannu Kröger <hk...@gmail.com> wrote:
>> 
>> Is server encryption option ”require_client_auth: false” what you are after?
>> 
>> Hannu
>> 
>>> Jai Bheemsen Rao Dhanwada <ja...@gmail.com> kirjoitti 28.2.2019 kello 1.57:
>>> 
>>> Hello,
>>> 
>>> Is it possible to disable truststore CA check for the cassandra internode_encyrption? if yes, is there a config property to do that?
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
>> For additional commands, e-mail: user-help@cassandra.apache.org
>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: user-help@cassandra.apache.org
> 

Re: Disable Truststore CA check for internode_encryption

[Jeff Jirsa <jj...@gmail.com>]

That’s client to server - internode is different

Don’t think it’s possible without code modifications - please opens JIRA

-- 
Jeff Jirsa


> On Feb 27, 2019, at 10:21 PM, Hannu Kröger <hk...@gmail.com> wrote:
> 
> Is server encryption option ”require_client_auth: false” what you are after?
> 
> Hannu
> 
>> Jai Bheemsen Rao Dhanwada <ja...@gmail.com> kirjoitti 28.2.2019 kello 1.57:
>> 
>> Hello,
>> 
>> Is it possible to disable truststore CA check for the cassandra internode_encyrption? if yes, is there a config property to do that?
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: user-help@cassandra.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org

Re: Disable Truststore CA check for internode_encryption

[Hannu Kröger <hk...@gmail.com>]

Is server encryption option ”require_client_auth: false” what you are after?

Hannu

> Jai Bheemsen Rao Dhanwada <ja...@gmail.com> kirjoitti 28.2.2019 kello 1.57:
> 
> Hello,
> 
> Is it possible to disable truststore CA check for the cassandra internode_encyrption? if yes, is there a config property to do that?

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org