cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthias Brandt (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-10970) SSL/TLS: Certificate Domain is ignored
Date Wed, 06 Jan 2016 17:48:39 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-10970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Matthias Brandt updated CASSANDRA-10970:
----------------------------------------
    Description: 
I've set up server_encryption_options as well as client_encryption_options. In both settings,
I use the same keystore with an wild-card SSL certificate in it. It is signed by our own CA,
which root certificate is in the configured truststore:
{code}
server_encryption_options:
    internode_encryption: all
    keystore: /etc/cassandra/conf/wildcard-cert.keystore
    keystore_password: ""
    truststore: /etc/cassandra/conf/my-cacerts
    truststore_password: changeit
    require_client_auth: true

client_encryption_options:
    enabled: true
    keystore: /etc/cassandra/conf/wildcard-cert.keystore
    keystore_password: ""
    require_client_auth: false
{code}

The certifcate's subject is:
{code}CN=*.my.domain.com,OU=my unit,O=my org{code}

When I deploy this setting on a server which domain is node1.my.*other-domain*.com a connection
via cqlsh wrongly works. Additionally, the inter-node connection between other nodes in this
wrong domain also works.

I would expect that the connection would fail with a meaningful error message.

  was:
I've set up server_encryption_options as well as client_encryption_options. In both settings,
I use the same keystore with an wild-card SSL certificate in it. It is signed by our own CA,
which root certificate is in the configured truststore:
{code}
server_encryption_options:
    internode_encryption: all
    keystore: /etc/cassandra/conf/wildcard-cert.keystore
    keystore_password: ""
    truststore: /etc/cassandra/conf/hpo-cacerts
    truststore_password: changeit
    require_client_auth: true

client_encryption_options:
    enabled: true
    keystore: /etc/cassandra/conf/wildcard-cert.keystore
    keystore_password: ""
    require_client_auth: false
{code}

The certifcate's subject is:
{code}CN=*.my.domain.com,OU=my unit,O=my org{code}

When I deploy this setting on a server which domain is node1.my.*other-domain*.com a connection
via cqlsh wrongly works. Additionally, the inter-node connection between other nodes in this
wrong domain also works.

I would expect that the connection would fail with a meaningful error message.


> SSL/TLS: Certificate Domain is ignored
> --------------------------------------
>
>                 Key: CASSANDRA-10970
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-10970
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Matthias Brandt
>
> I've set up server_encryption_options as well as client_encryption_options. In both settings,
I use the same keystore with an wild-card SSL certificate in it. It is signed by our own CA,
which root certificate is in the configured truststore:
> {code}
> server_encryption_options:
>     internode_encryption: all
>     keystore: /etc/cassandra/conf/wildcard-cert.keystore
>     keystore_password: ""
>     truststore: /etc/cassandra/conf/my-cacerts
>     truststore_password: changeit
>     require_client_auth: true
> client_encryption_options:
>     enabled: true
>     keystore: /etc/cassandra/conf/wildcard-cert.keystore
>     keystore_password: ""
>     require_client_auth: false
> {code}
> The certifcate's subject is:
> {code}CN=*.my.domain.com,OU=my unit,O=my org{code}
> When I deploy this setting on a server which domain is node1.my.*other-domain*.com a
connection via cqlsh wrongly works. Additionally, the inter-node connection between other
nodes in this wrong domain also works.
> I would expect that the connection would fail with a meaningful error message.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message