Return-Path: 
 <commits-return-95692-apmail-cassandra-commits-archive=cassandra.apache.org@cassandra.apache.org>
X-Original-To: apmail-cassandra-commits-archive@www.apache.org
Delivered-To: apmail-cassandra-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 8262F1084B
	for <apmail-cassandra-commits-archive@www.apache.org>;
 Thu, 27 Mar 2014 00:34:18 +0000 (UTC)
Received: (qmail 71206 invoked by uid 500); 27 Mar 2014 00:34:16 -0000
Delivered-To: apmail-cassandra-commits-archive@cassandra.apache.org
Received: (qmail 71158 invoked by uid 500); 27 Mar 2014 00:34:15 -0000
Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cassandra.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cassandra.apache.org>
List-Post: <mailto:commits@cassandra.apache.org>
List-Id: <commits.cassandra.apache.org>
Reply-To: dev@cassandra.apache.org
Delivered-To: mailing list commits@cassandra.apache.org
Received: (qmail 71147 invoked by uid 99); 27 Mar 2014 00:34:15 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Mar 2014 00:34:15 +0000
Date: Thu, 27 Mar 2014 00:34:15 +0000 (UTC)
From: "Jeff Davey (JIRA)" <jira@apache.org>
To: commits@cassandra.apache.org
Message-ID: <JIRA.12703868.1395880433839.13268.1395880455463@arcas>
In-Reply-To: <JIRA.12703868.1395880433839@arcas>
References: <JIRA.12703868.1395880433839@arcas>
Subject: [jira] [Created] (CASSANDRA-6938) Cassandra doesn't seem to present
 the intermediate cert during TLS handshake
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

Jeff Davey created CASSANDRA-6938:
-------------------------------------

             Summary: Cassandra doesn't seem to present the intermediate cert during TLS handshake
                 Key: CASSANDRA-6938
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-6938
             Project: Cassandra
          Issue Type: Bug
          Components: Core
         Environment: Ubuntu 12.04 64bit Java 7_07 
            Reporter: Jeff Davey
            Priority: Minor
             Fix For: 2.0.4


After some considerable amount of pain, I was able to get my cert and key loaded up into a java keystore file. 

I then added the intermediate cert and the root cert to the keystore:

$ keytool -list  -keystore cassandra-app.jks -storepass cassandra

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Mar 26, 2014, trustedCertEntry,
Certificate fingerprint (MD5): DD:7C:00:93:FB:75:CA:F4:FC:A4:A7:94:EF:4D:F5:41
cassandra, Mar 26, 2014, PrivateKeyEntry, 
Certificate fingerprint (MD5): 30:14:85:28:3A:AF:4E:E2:47:34:41:40:52:DB:FD:D6
intermediate, Mar 26, 2014, trustedCertEntry,
Certificate fingerprint (MD5): BA:48:2B:94:69:66:73:82:CA:16:C3:DE:E9:C8:6F:5D


However, on connection, I do not get the intermediate cert back, and it fails to verify:

$ openssl s_client -connect localhost:9042 -CAfile ./cacert.pem 
CONNECTED(00000003)
depth=0 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Certificate
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Certificate
   i:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root Sub-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Certificate
issuer=/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root Sub-CA
---
No client certificate CA names sent
---
SSL handshake has read 1009 bytes and written 567 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : AES256-SHA
    Session-ID: 5333706CBA12E856B9F91AF02752F42F8988CF97AD11E9F995908FCF7C8161F5
    Session-ID-ctx: 
    Master-Key: AEA9EEF29307ED62D2A375F90DF3AB1447F16B953C72342B45072A490E796B25DEA72777EE979E0BA9A7B68D6B3491C8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1395880044
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---



What should happen is something like this:
$ openssl s_client -connect localhost:4433 -CAfile ./cacert.pem 
CONNECTED(00000003)
depth=2 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Root CA
verify return:1
depth=1 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Root Sub-CA
verify return:1
depth=0 C = CA, ST = Alberta, L = Camrose, O = Apple, OU = , emailAddress = xxx@apple.com, CN = Testing Certificate
verify return:1
---
Certificate chain
 0 s:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Certificate
   i:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root Sub-CA
 1 s:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root Sub-CA
   i:/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Certificate
issuer=/C=CA/ST=Alberta/L=Camrose/O=Apple/OU=/emailAddress=xxx@apple.com/CN=Testing Root Sub-CA
---
No client certificate CA names sent
---
SSL handshake has read 2171 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 0AC9EBD428EF7DE9BDED4149909280FD091A6D3543265C58BFBC1F4C8F8C717C
    Session-ID-ctx: 
    Master-Key: B845957597F7421314634282E83E560ED8107D61F0AC06184D135AEAFD50B338BDB9DAB11A8130773AA6D517A12E0DEA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 53 5b 50 6f fb f8 82 a1-87 d2 64 20 39 3c c9 c1   S[Po......d 9<..
    0010 - a8 0c 50 85 b0 bb c5 42-c9 b7 59 4c 6a 92 1a a0   ..P....B..YLj...
    0020 - 59 7f c4 c0 28 fe d4 91-34 02 44 ec a5 c7 66 9c   Y...(...4.D...f.
    0030 - f8 0a d8 74 65 04 3f 15-e0 3c 46 ed cf e2 b0 de   ...te.?..<F.....
    0040 - 01 ee 1f 40 1a 90 c0 06-12 9d 4f 35 3f 46 d1 8c   ...@......O5?F..
    0050 - 13 55 60 0c 92 1c a3 c7-b8 ce 4e 7e 07 ff d7 e8   .U`.......N~....
    0060 - f2 1c c1 54 c9 ac 23 f8-f2 6c d7 f5 58 a7 ad 0b   ...T..#..l..X...
    0070 - 74 72 eb 94 df 3f 25 8d-30 61 e0 81 b0 0f fb ce   tr...?%.0a......
    0080 - 53 ec 41 8a ac c9 1c a2-22 8e ab 81 fb d0 46 48   S.A.....".....FH
    0090 - 14 85 53 72 fb 54 3e 60-24 b5 e8 49 5a b1 8f 08   ..Sr.T>`$..IZ...

    Start Time: 1395880143
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


The second is by running openssl s_server and passing it the intermediary cert:
$ openssl s_server -cert cert.pem -key cert.pem -CAfile subcacert.pem




--
This message was sent by Atlassian JIRA
(v6.2#6252)