You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Dinesh Joshi (JIRA)" <ji...@apache.org> on 2019/02/28 07:43:00 UTC
[jira] [Commented] (CASSANDRA-15038) Provide an option to Disable
Truststore CA check for internode_encryption
[ https://issues.apache.org/jira/browse/CASSANDRA-15038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16780205#comment-16780205 ]
Dinesh Joshi commented on CASSANDRA-15038:
------------------------------------------
The purpose of the Truststore is to store all certificates that your system trusts i.e. when a node makes an outbound connection to its peer, the peer will present a SSL certificate. This certificate must be signed by a CA that your node recognizes and is part of the specified truststore. These are typically the well known CA Roots. As long as you're using a valid SSL Certificate that is signed by one of the CAs you trust, the node will accept connections from any peer. In case you'd like to use an internal CA you can simply import its certificate in this truststore.
If your request is to allow self-signed certificates then I think that is a whole another discussion.
> Provide an option to Disable Truststore CA check for internode_encryption
> -------------------------------------------------------------------------
>
> Key: CASSANDRA-15038
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15038
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/Encryption
> Reporter: Jai Bheemsen Rao Dhanwada
> Priority: Major
>
> Hello,
> The current internode encryption between cassandra nodes uses a keystore and truststore. However there are some use-case where users are okay to allow any one to trust as long as they have a keystore. This is requirement is only for encryption but not trusting the identity.
> It would be good to have an option to disable the Truststore CA check for the internode_encryption.
>
> In the current cassandra.yaml, there is no way to comment/disable the truststore and truststore password and allow anyone to connect with a certificate.
>
> though the require_client_auth: is set to false, cassandra fails to startup if we disable truststore and truststore_password as it look for default truststore under `conf/.truststore`
>
> {code:java}
> server_encryption_options:
> internode_encryption: all
> keystore: /etc/cassandra/keystore.jks
> keystore_password: mykeypass
> truststore: /etc/cassandra/truststore.jks
> truststore_password: truststorepass
> # More advanced defaults below:
> # protocol: TLS
> # algorithm: SunX509
> # store_type: JKS
> # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
> # require_client_auth: false
> # require_endpoint_verification: false{code}
> {noformat}
> Caused by: java.io.IOException: Error creating the initializing the SSL Context
> at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:201) ~[apache-cassandra-3.11.3.jar:3.11.3]
> at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:61) ~[apache-cassandra-3.11.3.jar:3.11.3]
> at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:708) ~[apache-cassandra-3.11.3.jar:3.11.3]
> ... 8 common frames omitted
> Caused by: java.io.FileNotFoundException: conf/.truststore (Permission denied)
> at java.io.FileInputStream.open0(Native Method) ~[na:1.8.0_151]
> at java.io.FileInputStream.open(FileInputStream.java:195) ~[na:1.8.0_151]
> at java.io.FileInputStream.<init>(FileInputStream.java:138) ~[na:1.8.0_151]
> at java.io.FileInputStream.<init>(FileInputStream.java:93) ~[na:1.8.0_151]
> at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:168) ~[apache-cassandra-3.11.3.jar:3.11.3]
> ... 10 common frames omitted{noformat}
>
> Cassandra Version: 3.11.3
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org