cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan McGuire (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-5120) Add support for SSL sockets to use client certificate authentication.
Date Wed, 27 Feb 2013 18:03:14 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-5120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13588564#comment-13588564
] 

Ryan McGuire commented on CASSANDRA-5120:
-----------------------------------------

I have verified that Cassandra always reject a client certificate when *require_client_auth
= true*. It cannot verify a key that it does not know about. If there is currently a way of
installing my client certificate on the server, I am not aware of it.

To verify this behaviour, I created my own example SSL server using stunnel so that I could
see how this would work with a server that does accept client certificates. stunnel has the
option to verify client certificates with it's verify=3 option:

{code}
cert = server.pem
setuid = ryan
pid = /tmp/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CAfile = certs/myca.crt
CApath = /home/ryan/stunnel_keys/acceptable
foreground = yes
debug = 7

[ryan]
accept = 9999
connect = 127.0.0.1:9998
{code}

I can connect to this example server using OpenSSL's client:

{code}
openssl s_client -connect 127.0.0.1:9999 -cert client.pem
{code}

With the certificate it connects, without it it doesn't.

The same command on port 9160 can be used to connect to Cassandra over SSL with client certificate.
With *require_client_auth=false*, the connection is always allowed whether I use a client
certificate or not. With *require_client_auth=true* the connection is always terminated, regardless
if I specify a client certificate because the server does not know about my certificate.

If Cassandra were to know about my certificate, I suspect this would work.
                
> Add support for SSL sockets to use client certificate authentication.
> ---------------------------------------------------------------------
>
>                 Key: CASSANDRA-5120
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-5120
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.2.0
>            Reporter: Steven Franklin
>            Assignee: Steven Franklin
>            Priority: Minor
>             Fix For: 1.2.1
>
>         Attachments: trunk-5120.txt
>
>
> Add an option to EncryptionOptions to require client certication authentication.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message