You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Thanh (Jira)" <ji...@apache.org> on 2020/06/22 18:59:00 UTC
[jira] [Updated] (CASSANDRA-15891) provide a configuration option
such as endpoint_verification_method
[ https://issues.apache.org/jira/browse/CASSANDRA-15891?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thanh updated CASSANDRA-15891:
------------------------------
Summary: provide a configuration option such as endpoint_verification_method (was: allow cassandra admin to decide what endpoint to use for endpoint verification)
> provide a configuration option such as endpoint_verification_method
> -------------------------------------------------------------------
>
> Key: CASSANDRA-15891
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15891
> Project: Cassandra
> Issue Type: Improvement
> Reporter: Thanh
> Priority: Normal
>
> With cassandra-9220, it's possible to configure endpoint/hostname verification when enabling internode encryption. However, you don't have any control over what endpoint is used for the endpoint verification; instead, cassandra will automatically try to use node IP (not node hostname) for endpoint verification, so if your node certificates don't include the IP in the ssl certificate's SAN list, then you'll get an error like:
> {code:java}
> ERROR [MessagingService-Outgoing-/10.10.88.194-Gossip] 2018-11-13 10:20:26,903 OutboundTcpConnection.java:606 - SSL handshake error for outbound connection to 50cc97c1[SSL_NULL_WITH_NULL_NULL: Socket[addr=/<NODE_IP_ADDRESS>,port=7001,localport=47684]]
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address <NODE_IP_ADDRESS> found
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) {code}
> From what I've seen, most orgs will not have node IPs in their certs.
> So, it will be best if cassandra would provide another configuration option such as *{{endpoint_verification_method}}* which you could set to "ip" or "fqdn" or something else (eg "hostname_alias" if for whatever reason the org doesn't want to use fqdn for endpoint verification).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org