You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Mikhail Stepura (JIRA)" <ji...@apache.org> on 2014/03/27 04:10:15 UTC

[jira] [Commented] (CASSANDRA-6938) Cassandra doesn't seem to present the intermediate cert during TLS handshake

    [ https://issues.apache.org/jira/browse/CASSANDRA-6938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13948821#comment-13948821 ] 

Mikhail Stepura commented on CASSANDRA-6938:
--------------------------------------------

It could be CASSANDRA-6847

> Cassandra doesn't seem to present the intermediate cert during TLS handshake
> ----------------------------------------------------------------------------
>
>                 Key: CASSANDRA-6938
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-6938
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Core
>         Environment: Ubuntu 12.04 64bit Java 7_07 
>            Reporter: Jeff Davey
>            Priority: Minor
>
> After some considerable amount of pain, I was able to get my cert and key loaded up into a java keystore file. 
> I then added the intermediate cert and the root cert to the keystore:
> $ keytool -list  -keystore cassandra-app.jks -storepass cassandra
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 3 entries
> root, Mar 26, 2014, trustedCertEntry,
> Certificate fingerprint (MD5): DD:7C:00:93:FB:75:CA:F4:FC:A4:A7:94:EF:4D:F5:41
> cassandra, Mar 26, 2014, PrivateKeyEntry, 
> Certificate fingerprint (MD5): 30:14:85:28:3A:AF:4E:E2:47:34:41:40:52:DB:FD:D6
> intermediate, Mar 26, 2014, trustedCertEntry,
> Certificate fingerprint (MD5): BA:48:2B:94:69:66:73:82:CA:16:C3:DE:E9:C8:6F:5D
> However, on connection, I do not get the intermediate cert back, and it fails to verify:
> $ openssl s_client -connect localhost:9042 -CAfile ./cacert.pem 
> CONNECTED(00000003)
> depth=0 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Certificate
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Certificate
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Certificate
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Certificate
>    i:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root Sub-CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> <snip>
> -----END CERTIFICATE-----
> subject=/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Certificate
> issuer=/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root Sub-CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1009 bytes and written 567 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.1
>     Cipher    : AES256-SHA
>     Session-ID: 5333706CBA12E856B9F91AF02752F42F8988CF97AD11E9F995908FCF7C8161F5
>     Session-ID-ctx: 
>     Master-Key: AEA9EEF29307ED62D2A375F90DF3AB1447F16B953C72342B45072A490E796B25DEA72777EE979E0BA9A7B68D6B3491C8
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1395880044
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
> What should happen is something like this:
> $ openssl s_client -connect localhost:4433 -CAfile ./cacert.pem 
> CONNECTED(00000003)
> depth=2 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Root CA
> verify return:1
> depth=1 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Root Sub-CA
> verify return:1
> depth=0 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Certificate
>    i:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root Sub-CA
>  1 s:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root Sub-CA
>    i:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> <snip>
> -----END CERTIFICATE-----
> subject=/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Certificate
> issuer=/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root Sub-CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2171 bytes and written 375 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.1
>     Cipher    : ECDHE-RSA-AES256-SHA
>     Session-ID: 0AC9EBD428EF7DE9BDED4149909280FD091A6D3543265C58BFBC1F4C8F8C717C
>     Session-ID-ctx: 
>     Master-Key: B845957597F7421314634282E83E560ED8107D61F0AC06184D135AEAFD50B338BDB9DAB11A8130773AA6D517A12E0DEA
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
>     0000 - 53 5b 50 6f fb f8 82 a1-87 d2 64 20 39 3c c9 c1   S[Po......d 9<..
>     0010 - a8 0c 50 85 b0 bb c5 42-c9 b7 59 4c 6a 92 1a a0   ..P....B..YLj...
>     0020 - 59 7f c4 c0 28 fe d4 91-34 02 44 ec a5 c7 66 9c   Y...(...4.D...f.
>     0030 - f8 0a d8 74 65 04 3f 15-e0 3c 46 ed cf e2 b0 de   ...te.?..<F.....
>     0040 - 01 ee 1f 40 1a 90 c0 06-12 9d 4f 35 3f 46 d1 8c   ...@......O5?F..
>     0050 - 13 55 60 0c 92 1c a3 c7-b8 ce 4e 7e 07 ff d7 e8   .U`.......N~....
>     0060 - f2 1c c1 54 c9 ac 23 f8-f2 6c d7 f5 58 a7 ad 0b   ...T..#..l..X...
>     0070 - 74 72 eb 94 df 3f 25 8d-30 61 e0 81 b0 0f fb ce   tr...?%.0a......
>     0080 - 53 ec 41 8a ac c9 1c a2-22 8e ab 81 fb d0 46 48   S.A.....".....FH
>     0090 - 14 85 53 72 fb 54 3e 60-24 b5 e8 49 5a b1 8f 08   ..Sr.T>`$..IZ...
>     Start Time: 1395880143
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> The second is by running openssl s_server and passing it the intermediary cert:
> $ openssl s_server -cert cert.pem -key cert.pem -CAfile subcacert.pem



--
This message was sent by Atlassian JIRA
(v6.2#6252)