cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jai Bheemsen Rao Dhanwada (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-15038) Provide an option to Disable Truststore CA check for internode_encryption
Date Fri, 01 Mar 2019 19:28:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-15038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16781997#comment-16781997
] 

Jai Bheemsen Rao Dhanwada commented on CASSANDRA-15038:
-------------------------------------------------------

[~slebresne] Thank you, yes I agree with the security concerns, we can add warnings and enable
this, so that the truststore check can be disabled. It would be great if this can be implemented.

> Provide an option to Disable Truststore CA check for internode_encryption
> -------------------------------------------------------------------------
>
>                 Key: CASSANDRA-15038
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15038
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Feature/Encryption
>            Reporter: Jai Bheemsen Rao Dhanwada
>            Priority: Major
>
> Hello,
> The current internode encryption between cassandra nodes uses a keystore and truststore.
However there are some use-case where users are okay to allow any one to trust as long as
they have a keystore. This is requirement is only for encryption but not trusting the identity.
> It would be good to have an option to disable the Truststore CA check for the internode_encryption.
>  
> In the current cassandra.yaml, there is no way to comment/disable the truststore and
truststore password and allow anyone to connect with a certificate. 
>  
> though the require_client_auth: is set to false, cassandra fails to startup if we disable truststore
and truststore_password as it look for default truststore under `conf/.truststore`
>  
> {code:java}
> server_encryption_options:
>  internode_encryption: all
>  keystore: /etc/cassandra/keystore.jks
>  keystore_password: mykeypass
>  truststore: /etc/cassandra/truststore.jks
>  truststore_password: truststorepass
>  # More advanced defaults below:
>  # protocol: TLS
>  # algorithm: SunX509
>  # store_type: JKS
>  # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
>  # require_client_auth: false
>  # require_endpoint_verification: false{code}
> {noformat}
> Caused by: java.io.IOException: Error creating the initializing the SSL Context
>  at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:201) ~[apache-cassandra-3.11.3.jar:3.11.3]
>  at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:61) ~[apache-cassandra-3.11.3.jar:3.11.3]
>  at org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:708)
~[apache-cassandra-3.11.3.jar:3.11.3]
>  ... 8 common frames omitted
> Caused by: java.io.FileNotFoundException: conf/.truststore (Permission denied)
>  at java.io.FileInputStream.open0(Native Method) ~[na:1.8.0_151]
>  at java.io.FileInputStream.open(FileInputStream.java:195) ~[na:1.8.0_151]
>  at java.io.FileInputStream.<init>(FileInputStream.java:138) ~[na:1.8.0_151]
>  at java.io.FileInputStream.<init>(FileInputStream.java:93) ~[na:1.8.0_151]
>  at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:168) ~[apache-cassandra-3.11.3.jar:3.11.3]
>  ... 10 common frames omitted{noformat}
>  
>  Cassandra Version: 3.11.3
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message