cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan McGuire (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-5120) Add support for SSL sockets to use client certificate authentication.
Date Wed, 27 Feb 2013 18:03:14 GMT


Ryan McGuire commented on CASSANDRA-5120:

I have verified that Cassandra always reject a client certificate when *require_client_auth
= true*. It cannot verify a key that it does not know about. If there is currently a way of
installing my client certificate on the server, I am not aware of it.

To verify this behaviour, I created my own example SSL server using stunnel so that I could
see how this would work with a server that does accept client certificates. stunnel has the
option to verify client certificates with it's verify=3 option:

cert = server.pem
setuid = ryan
pid = /tmp/
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CAfile = certs/myca.crt
CApath = /home/ryan/stunnel_keys/acceptable
foreground = yes
debug = 7

accept = 9999
connect =

I can connect to this example server using OpenSSL's client:

openssl s_client -connect -cert client.pem

With the certificate it connects, without it it doesn't.

The same command on port 9160 can be used to connect to Cassandra over SSL with client certificate.
With *require_client_auth=false*, the connection is always allowed whether I use a client
certificate or not. With *require_client_auth=true* the connection is always terminated, regardless
if I specify a client certificate because the server does not know about my certificate.

If Cassandra were to know about my certificate, I suspect this would work.
> Add support for SSL sockets to use client certificate authentication.
> ---------------------------------------------------------------------
>                 Key: CASSANDRA-5120
>                 URL:
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.2.0
>            Reporter: Steven Franklin
>            Assignee: Steven Franklin
>            Priority: Minor
>             Fix For: 1.2.1
>         Attachments: trunk-5120.txt
> Add an option to EncryptionOptions to require client certication authentication.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message