cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Podkowinski (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-9220) Hostname verification for node-to-node encryption
Date Tue, 16 Feb 2016 12:28:18 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-9220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Stefan Podkowinski updated CASSANDRA-9220:
------------------------------------------
    Description: 
This patch will will introduce a new ssl server option: {{require_endpoint_verification}}.


Setting it will enable hostname verification for inter-node SSL communication. This is necessary
to prevent man-in-the-middle attacks when building a trust chain against a common CA. See
[here|https://tersesystems.com/2014/03/23/fixing-hostname-verification/] for background details.


Clusters that solely rely on importing all node certificates into each trust store (as described
[here|http://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html])
are not effected. 

Clusters that use the same common CA to sign node certificates are potentially affected. In
case the CA signing process will allow other parties to generate certs for different purposes,
those certificates could in turn be used for MITM attacks. The provided patch will allow to
enable hostname verification to make sure not only to check if the cert is valid but also
if it has been created for the host that we're about to connect.

Corresponding dtest: [Test for CASSANDRA-9220|https://github.com/riptano/cassandra-dtest/pull/237]

Related patches from the client perspective: [Java|https://datastax-oss.atlassian.net/browse/JAVA-716],
[Python|https://datastax-oss.atlassian.net/browse/PYTHON-296]

  was:
This patch will will introduce a new ssl server option: {{require_endpoint_verification}}.


Setting it will enable hostname verification for inter-node SSL communication. This is necessary
to prevent man-in-the-middle attacks when building a trust chain against a common CA. See
[here|https://tersesystems.com/2014/03/23/fixing-hostname-verification/] for background details.


Clusters that solely rely on importing all node certificates into each trust store (as described
[here|http://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html])
are not effected. 

Clusters that use the same common CA to sign node certificates are potentially affected. In
case the CA signing process will allow other parties to generate certs for different purposes,
those certificates could in turn be used for MITM attacks. The provided patch will allow to
enable hostname verification to make sure not only to check if the cert is valid but also
if it has been created for the host that we're about to connect.

Corresponding dtest: [Test for CASSANDRA-9220|https://github.com/riptano/cassandra-dtest/pull/237]

Github: 
2.0 -> [diff|https://github.com/apache/cassandra/compare/cassandra-2.0...spodkowinski:feat/sslhostverification],
[patch|https://github.com/apache/cassandra/compare/cassandra-2.0...spodkowinski:feat/sslhostverification.patch],
Trunk -> [diff|https://github.com/apache/cassandra/compare/trunk...spodkowinski:feat/sslhostverification],
[patch|https://github.com/apache/cassandra/compare/trunk...spodkowinski:feat/sslhostverification.patch]

Related patches from the client perspective: [Java|https://datastax-oss.atlassian.net/browse/JAVA-716],
[Python|https://datastax-oss.atlassian.net/browse/PYTHON-296]


> Hostname verification for node-to-node encryption
> -------------------------------------------------
>
>                 Key: CASSANDRA-9220
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9220
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Stefan Podkowinski
>            Assignee: Stefan Podkowinski
>             Fix For: 3.x
>
>         Attachments: sslhostverification-2.0.patch
>
>
> This patch will will introduce a new ssl server option: {{require_endpoint_verification}}.

> Setting it will enable hostname verification for inter-node SSL communication. This is
necessary to prevent man-in-the-middle attacks when building a trust chain against a common
CA. See [here|https://tersesystems.com/2014/03/23/fixing-hostname-verification/] for background
details. 
> Clusters that solely rely on importing all node certificates into each trust store (as
described [here|http://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html])
are not effected. 
> Clusters that use the same common CA to sign node certificates are potentially affected.
In case the CA signing process will allow other parties to generate certs for different purposes,
those certificates could in turn be used for MITM attacks. The provided patch will allow to
enable hostname verification to make sure not only to check if the cert is valid but also
if it has been created for the host that we're about to connect.
> Corresponding dtest: [Test for CASSANDRA-9220|https://github.com/riptano/cassandra-dtest/pull/237]
> Related patches from the client perspective: [Java|https://datastax-oss.atlassian.net/browse/JAVA-716],
[Python|https://datastax-oss.atlassian.net/browse/PYTHON-296]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message