You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Jai Bheemsen Rao Dhanwada (JIRA)" <ji...@apache.org> on 2019/02/28 07:34:00 UTC
[jira] [Updated] (CASSANDRA-15038) Provide an option to Disable
Truststore CA check for internode_encryption
[ https://issues.apache.org/jira/browse/CASSANDRA-15038?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jai Bheemsen Rao Dhanwada updated CASSANDRA-15038:
--------------------------------------------------
Description:
Hello,
The current internode encryption between cassandra nodes uses a keystore and truststore. However there are some use-case where users are okay to allow any one to trust as long as they have a keystore. This is requirement is only for encryption but not trusting the identity.
It would be good to have an option to disable the Truststore CA check for the internode_encryption.
In the current cassandra.yaml, there is no way to comment/disable the truststore and truststore password and allow anyone to connect with a certificate. `conf/.truststore`
{code:java}
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/keystore.jks
keystore_password: mykeypass
truststore: /etc/cassandra/truststore.jks
truststore_password: truststorepass
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
# require_client_auth: false
# require_endpoint_verification: false{code}
{noformat}
Caused by: java.io.IOException: Error creating the initializing the SSL Context
at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:201) ~[apache-cassandra-3.11.3.jar:3.11.3]
at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:61) ~[apache-cassandra-3.11.3.jar:3.11.3]
at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:708) ~[apache-cassandra-3.11.3.jar:3.11.3]
... 8 common frames omitted
Caused by: java.io.FileNotFoundException: conf/.truststore (Permission denied)
at java.io.FileInputStream.open0(Native Method) ~[na:1.8.0_151]
at java.io.FileInputStream.open(FileInputStream.java:195) ~[na:1.8.0_151]
at java.io.FileInputStream.<init>(FileInputStream.java:138) ~[na:1.8.0_151]
at java.io.FileInputStream.<init>(FileInputStream.java:93) ~[na:1.8.0_151]
at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:168) ~[apache-cassandra-3.11.3.jar:3.11.3]
... 10 common frames omitted{noformat}
Cassandra Version: 3.11.3
was:
Hello,
The current internode encryption between cassandra nodes uses a keystore and truststore. However there are some use-case where users are okay to allow any one to trust as long as they have a keystore. This is requirement is only for encryption but not trusting the identity.
It would be good to have an option to disable the Truststore CA check for the internode_encryption.
In the current cassandra.yaml, there is no way to comment/disable the truststore and truststore password and allow anyone to connect with a certificate. `conf/.truststore`
{code:java}
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/keystore.jks
keystore_password: mykeypass
truststore: /etc/cassandra/truststore.jks
truststore_password: truststorepass
# More advanced defaults below:
# protocol: TLS
# algorithm: SunX509
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
# require_client_auth: false
# require_endpoint_verification: false{code}
{noformat}
Caused by: java.io.IOException: Error creating the initializing the SSL Context
at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:201) ~[apache-cassandra-3.11.3.jar:3.11.3]
at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:61) ~[apache-cassandra-3.11.3.jar:3.11.3]
at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:708) ~[apache-cassandra-3.11.3.jar:3.11.3]
... 8 common frames omitted
Caused by: java.io.FileNotFoundException: conf/.truststore (Permission denied)
at java.io.FileInputStream.open0(Native Method) ~[na:1.8.0_151]
at java.io.FileInputStream.open(FileInputStream.java:195) ~[na:1.8.0_151]
at java.io.FileInputStream.<init>(FileInputStream.java:138) ~[na:1.8.0_151]
at java.io.FileInputStream.<init>(FileInputStream.java:93) ~[na:1.8.0_151]
at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:168) ~[apache-cassandra-3.11.3.jar:3.11.3]
... 10 common frames omitted{noformat}
> Provide an option to Disable Truststore CA check for internode_encryption
> -------------------------------------------------------------------------
>
> Key: CASSANDRA-15038
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15038
> Project: Cassandra
> Issue Type: Improvement
> Components: Feature/Encryption
> Reporter: Jai Bheemsen Rao Dhanwada
> Priority: Major
>
> Hello,
> The current internode encryption between cassandra nodes uses a keystore and truststore. However there are some use-case where users are okay to allow any one to trust as long as they have a keystore. This is requirement is only for encryption but not trusting the identity.
> It would be good to have an option to disable the Truststore CA check for the internode_encryption.
>
> In the current cassandra.yaml, there is no way to comment/disable the truststore and truststore password and allow anyone to connect with a certificate. `conf/.truststore`
>
> {code:java}
> server_encryption_options:
> internode_encryption: all
> keystore: /etc/cassandra/keystore.jks
> keystore_password: mykeypass
> truststore: /etc/cassandra/truststore.jks
> truststore_password: truststorepass
> # More advanced defaults below:
> # protocol: TLS
> # algorithm: SunX509
> # store_type: JKS
> # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
> # require_client_auth: false
> # require_endpoint_verification: false{code}
> {noformat}
> Caused by: java.io.IOException: Error creating the initializing the SSL Context
> at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:201) ~[apache-cassandra-3.11.3.jar:3.11.3]
> at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:61) ~[apache-cassandra-3.11.3.jar:3.11.3]
> at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:708) ~[apache-cassandra-3.11.3.jar:3.11.3]
> ... 8 common frames omitted
> Caused by: java.io.FileNotFoundException: conf/.truststore (Permission denied)
> at java.io.FileInputStream.open0(Native Method) ~[na:1.8.0_151]
> at java.io.FileInputStream.open(FileInputStream.java:195) ~[na:1.8.0_151]
> at java.io.FileInputStream.<init>(FileInputStream.java:138) ~[na:1.8.0_151]
> at java.io.FileInputStream.<init>(FileInputStream.java:93) ~[na:1.8.0_151]
> at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:168) ~[apache-cassandra-3.11.3.jar:3.11.3]
> ... 10 common frames omitted{noformat}
>
> Cassandra Version: 3.11.3
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org