cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Per Otterström (JIRA) <>
Subject [jira] [Commented] (CASSANDRA-13404) Hostname verification for client-to-node encryption
Date Tue, 24 Apr 2018 15:06:00 GMT


Per Otterström commented on CASSANDRA-13404:

Taking another stab at this ticket. Attaching an updated patch set and some dtests to go with

Short recap:
* I want to add hostname validation on server side to verify client IP matches SAN field in
client certificate.
* Several concerns were raised on initial patch, "does it add value", "setting incoming IP
on the SSLHandler", "added complexity for users".
* A second patch based on a plug-in approach was created. While this approach has some interesting
benefits, it is a bit overkill for this.

Some comments on the updated patch:
* SslHandler will get client host info only when endpoint-verification is enabled, very similar
to the setup of server-server communication. When require_endpoint_verification option is
not enabled, behavior will remain unchanged.
* The require_endpoint_verification is already accepted for client-server configuration, just
currently unused and silently discared. Adding this property to the client_encryption_options
section should be manageble for our users in terms of complexity.
* The fact that this patch-set give the wanted effect is verified with the provided dtests.
* IMO the value is well argued in previous comments. When tickets like CASSANDRA-13971 gets
merged, a growing number of useres will have access to an infrastructure that manages keys
and certificates. Then hostname validation will be a common task.

Patch for trunk:
CircleCI (unit tests only):

> Hostname verification for client-to-node encryption
> ---------------------------------------------------
>                 Key: CASSANDRA-13404
>                 URL:
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Jan Karlsson
>            Assignee: Per Otterström
>            Priority: Major
>             Fix For: 4.x
>         Attachments: 13404-trunk-v2.patch, 13404-trunk.txt
> Similarily to CASSANDRA-9220, Cassandra should support hostname verification for client-node

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message