cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Per Otterström (JIRA) <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-13404) Hostname verification for client-to-node encryption
Date Tue, 24 Apr 2018 15:06:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-13404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16450025#comment-16450025
] 

Per Otterström commented on CASSANDRA-13404:
--------------------------------------------

Taking another stab at this ticket. Attaching an updated patch set and some dtests to go with
that.

Short recap:
* I want to add hostname validation on server side to verify client IP matches SAN field in
client certificate.
* Several concerns were raised on initial patch, "does it add value", "setting incoming IP
on the SSLHandler", "added complexity for users".
* A second patch based on a plug-in approach was created. While this approach has some interesting
benefits, it is a bit overkill for this.

Some comments on the updated patch:
* SslHandler will get client host info only when endpoint-verification is enabled, very similar
to the setup of server-server communication. When require_endpoint_verification option is
not enabled, behavior will remain unchanged.
* The require_endpoint_verification is already accepted for client-server configuration, just
currently unused and silently discared. Adding this property to the client_encryption_options
section should be manageble for our users in terms of complexity.
* The fact that this patch-set give the wanted effect is verified with the provided dtests.
* IMO the value is well argued in previous comments. When tickets like CASSANDRA-13971 gets
merged, a growing number of useres will have access to an infrastructure that manages keys
and certificates. Then hostname validation will be a common task.

Patch for trunk: https://github.com/eperott/cassandra/tree/13404-trunk
Dtests: https://github.com/eperott/cassandra-dtest/tree/13404-trunk
CircleCI (unit tests only): https://circleci.com/workflow-run/c29a6caf-1eeb-408d-a424-1ffbcaf9477d





> Hostname verification for client-to-node encryption
> ---------------------------------------------------
>
>                 Key: CASSANDRA-13404
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13404
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Jan Karlsson
>            Assignee: Per Otterström
>            Priority: Major
>             Fix For: 4.x
>
>         Attachments: 13404-trunk-v2.patch, 13404-trunk.txt
>
>
> Similarily to CASSANDRA-9220, Cassandra should support hostname verification for client-node
connections.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message