[ https://issues.apache.org/jira/browse/CASSANDRA-13404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16450025#comment-16450025
]
Per Otterström commented on CASSANDRA-13404:
--------------------------------------------
Taking another stab at this ticket. Attaching an updated patch set and some dtests to go with
that.
Short recap:
* I want to add hostname validation on server side to verify client IP matches SAN field in
client certificate.
* Several concerns were raised on initial patch, "does it add value", "setting incoming IP
on the SSLHandler", "added complexity for users".
* A second patch based on a plug-in approach was created. While this approach has some interesting
benefits, it is a bit overkill for this.
Some comments on the updated patch:
* SslHandler will get client host info only when endpoint-verification is enabled, very similar
to the setup of server-server communication. When require_endpoint_verification option is
not enabled, behavior will remain unchanged.
* The require_endpoint_verification is already accepted for client-server configuration, just
currently unused and silently discared. Adding this property to the client_encryption_options
section should be manageble for our users in terms of complexity.
* The fact that this patch-set give the wanted effect is verified with the provided dtests.
* IMO the value is well argued in previous comments. When tickets like CASSANDRA-13971 gets
merged, a growing number of useres will have access to an infrastructure that manages keys
and certificates. Then hostname validation will be a common task.
Patch for trunk: https://github.com/eperott/cassandra/tree/13404-trunk
Dtests: https://github.com/eperott/cassandra-dtest/tree/13404-trunk
CircleCI (unit tests only): https://circleci.com/workflow-run/c29a6caf-1eeb-408d-a424-1ffbcaf9477d
> Hostname verification for client-to-node encryption
> ---------------------------------------------------
>
> Key: CASSANDRA-13404
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13404
> Project: Cassandra
> Issue Type: New Feature
> Reporter: Jan Karlsson
> Assignee: Per Otterström
> Priority: Major
> Fix For: 4.x
>
> Attachments: 13404-trunk-v2.patch, 13404-trunk.txt
>
>
> Similarily to CASSANDRA-9220, Cassandra should support hostname verification for client-node
connections.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org
|