You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by vi...@apache.org on 2013/01/08 01:02:27 UTC
[2/3] git commit: Add support for SSL sockets to use client
certificate authentication. patch by Steven Franklin and Vijay for
CASSANDRA-5120
Add support for SSL sockets to use client certificate authentication.
patch by Steven Franklin and Vijay for CASSANDRA-5120
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/4460e286
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/4460e286
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/4460e286
Branch: refs/heads/trunk
Commit: 4460e2865dabb1d11950c04b5a4c9b79a12301e1
Parents: 0d6131c
Author: Vijay Parthasarathy <vi...@gmail.com>
Authored: Mon Jan 7 15:58:31 2013 -0800
Committer: Vijay Parthasarathy <vi...@gmail.com>
Committed: Mon Jan 7 15:58:31 2013 -0800
----------------------------------------------------------------------
conf/cassandra.yaml | 2 ++
.../apache/cassandra/config/EncryptionOptions.java | 1 +
.../org/apache/cassandra/security/SSLFactory.java | 1 +
.../cassandra/thrift/CustomTThreadPoolServer.java | 1 +
.../org/apache/cassandra/transport/Server.java | 3 ++-
5 files changed, 7 insertions(+), 1 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/conf/cassandra.yaml
----------------------------------------------------------------------
diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
index f2be64a..364bdd7 100644
--- a/conf/cassandra.yaml
+++ b/conf/cassandra.yaml
@@ -623,6 +623,7 @@ server_encryption_options:
# algorithm: SunX509
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
+ # require_client_auth: false
# enable or disable client/server encryption.
client_encryption_options:
@@ -634,6 +635,7 @@ client_encryption_options:
# algorithm: SunX509
# store_type: JKS
# cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
+ # require_client_auth: false
# internode_compression controls whether traffic between nodes is
# compressed.
http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/config/EncryptionOptions.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java
index b8a5a91..fe07f68 100644
--- a/src/java/org/apache/cassandra/config/EncryptionOptions.java
+++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java
@@ -27,6 +27,7 @@ public abstract class EncryptionOptions
public String protocol = "TLS";
public String algorithm = "SunX509";
public String store_type = "JKS";
+ public Boolean require_client_auth = false;
public static class ClientEncryptionOptions extends EncryptionOptions
{
http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/security/SSLFactory.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java
index 5e64c43..da8a3f4 100644
--- a/src/java/org/apache/cassandra/security/SSLFactory.java
+++ b/src/java/org/apache/cassandra/security/SSLFactory.java
@@ -55,6 +55,7 @@ public final class SSLFactory
serverSocket.setReuseAddress(true);
String[] suits = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites);
serverSocket.setEnabledCipherSuites(suits);
+ serverSocket.setNeedClientAuth(options.require_client_auth);
serverSocket.bind(new InetSocketAddress(address, port), 100);
return serverSocket;
}
http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
index f6ab1f7..0a456b9 100644
--- a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
+++ b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
@@ -249,6 +249,7 @@ public class CustomTThreadPoolServer extends TServer
logger.info("enabling encrypted thrift connections between client and server");
TSSLTransportParameters params = new TSSLTransportParameters(clientEnc.protocol, clientEnc.cipher_suites);
params.setKeyStore(clientEnc.keystore, clientEnc.keystore_password);
+ params.requireClientAuth(clientEnc.require_client_auth);
TServerSocket sslServer = TSSLTransportFactory.getServerSocket(addr.getPort(), 0, addr.getAddress(), params);
serverTransport = new TCustomServerSocket(sslServer.getServerSocket(), args.keepAlive, args.sendBufferSize, args.recvBufferSize);
}
http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/transport/Server.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/transport/Server.java b/src/java/org/apache/cassandra/transport/Server.java
index 0b43a4a..e999128 100644
--- a/src/java/org/apache/cassandra/transport/Server.java
+++ b/src/java/org/apache/cassandra/transport/Server.java
@@ -249,7 +249,8 @@ public class Server implements CassandraDaemon.Server
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setEnabledCipherSuites(encryptionOptions.cipher_suites);
-
+ sslEngine.setNeedClientAuth(encryptionOptions.require_client_auth);
+
SslHandler sslHandler = new SslHandler(sslEngine);
sslHandler.setIssueHandshake(true);
ChannelPipeline pipeline = super.getPipeline();