cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vi...@apache.org
Subject [2/3] git commit: Add support for SSL sockets to use client certificate authentication. patch by Steven Franklin and Vijay for CASSANDRA-5120
Date Tue, 08 Jan 2013 00:02:27 GMT
Add support for SSL sockets to use client certificate authentication.
patch by Steven Franklin and Vijay for CASSANDRA-5120

Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/4460e286
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/4460e286
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/4460e286

Branch: refs/heads/trunk
Commit: 4460e2865dabb1d11950c04b5a4c9b79a12301e1
Parents: 0d6131c
Author: Vijay Parthasarathy <vijay2win@gmail.com>
Authored: Mon Jan 7 15:58:31 2013 -0800
Committer: Vijay Parthasarathy <vijay2win@gmail.com>
Committed: Mon Jan 7 15:58:31 2013 -0800

----------------------------------------------------------------------
 conf/cassandra.yaml                                |    2 ++
 .../apache/cassandra/config/EncryptionOptions.java |    1 +
 .../org/apache/cassandra/security/SSLFactory.java  |    1 +
 .../cassandra/thrift/CustomTThreadPoolServer.java  |    1 +
 .../org/apache/cassandra/transport/Server.java     |    3 ++-
 5 files changed, 7 insertions(+), 1 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/conf/cassandra.yaml
----------------------------------------------------------------------
diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
index f2be64a..364bdd7 100644
--- a/conf/cassandra.yaml
+++ b/conf/cassandra.yaml
@@ -623,6 +623,7 @@ server_encryption_options:
     # algorithm: SunX509
     # store_type: JKS
     # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
+    # require_client_auth: false
 
 # enable or disable client/server encryption.
 client_encryption_options:
@@ -634,6 +635,7 @@ client_encryption_options:
     # algorithm: SunX509
     # store_type: JKS
     # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
+    # require_client_auth: false
 
 # internode_compression controls whether traffic between nodes is
 # compressed.

http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/config/EncryptionOptions.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java
index b8a5a91..fe07f68 100644
--- a/src/java/org/apache/cassandra/config/EncryptionOptions.java
+++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java
@@ -27,6 +27,7 @@ public abstract class EncryptionOptions
     public String protocol = "TLS";
     public String algorithm = "SunX509";
     public String store_type = "JKS";
+    public Boolean require_client_auth = false;
 
     public static class ClientEncryptionOptions extends EncryptionOptions
     {

http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/security/SSLFactory.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java
index 5e64c43..da8a3f4 100644
--- a/src/java/org/apache/cassandra/security/SSLFactory.java
+++ b/src/java/org/apache/cassandra/security/SSLFactory.java
@@ -55,6 +55,7 @@ public final class SSLFactory
         serverSocket.setReuseAddress(true);
         String[] suits = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites);
         serverSocket.setEnabledCipherSuites(suits);
+        serverSocket.setNeedClientAuth(options.require_client_auth);
         serverSocket.bind(new InetSocketAddress(address, port), 100);
         return serverSocket;
     }

http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
index f6ab1f7..0a456b9 100644
--- a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
+++ b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
@@ -249,6 +249,7 @@ public class CustomTThreadPoolServer extends TServer
                     logger.info("enabling encrypted thrift connections between client and
server");
                     TSSLTransportParameters params = new TSSLTransportParameters(clientEnc.protocol,
clientEnc.cipher_suites);
                     params.setKeyStore(clientEnc.keystore, clientEnc.keystore_password);
+                    params.requireClientAuth(clientEnc.require_client_auth);
                     TServerSocket sslServer = TSSLTransportFactory.getServerSocket(addr.getPort(),
0, addr.getAddress(), params);
                     serverTransport = new TCustomServerSocket(sslServer.getServerSocket(),
args.keepAlive, args.sendBufferSize, args.recvBufferSize);
                 }

http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/transport/Server.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/transport/Server.java b/src/java/org/apache/cassandra/transport/Server.java
index 0b43a4a..e999128 100644
--- a/src/java/org/apache/cassandra/transport/Server.java
+++ b/src/java/org/apache/cassandra/transport/Server.java
@@ -249,7 +249,8 @@ public class Server implements CassandraDaemon.Server
             SSLEngine sslEngine = sslContext.createSSLEngine();
             sslEngine.setUseClientMode(false);
             sslEngine.setEnabledCipherSuites(encryptionOptions.cipher_suites);
-
+            sslEngine.setNeedClientAuth(encryptionOptions.require_client_auth);
+            
             SslHandler sslHandler = new SslHandler(sslEngine);
             sslHandler.setIssueHandshake(true);
             ChannelPipeline pipeline = super.getPipeline();


Mime
View raw message