[ https://issues.apache.org/jira/browse/CASSANDRA-18951?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Petrov updated CASSANDRA-18951: ------------------------------------ Attachment: (was: ci_summary.json) > Add option for MutualTlsAuthenticator to restrict the certificate validity > period > --------------------------------------------------------------------------------- > > Key: CASSANDRA-18951 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18951 > Project: Cassandra > Issue Type: New Feature > Components: Feature/Authorization, Messaging/Client, > Observability/JMX, Observability/Metrics > Reporter: Francisco Guerrero > Assignee: Francisco Guerrero > Priority: Normal > Fix For: 5.1 > > Attachments: ci_summary.html, result_details.tar.gz > > Time Spent: 6h 10m > Remaining Estimate: 0h > > In {{org.apache.cassandra.auth.MutualTlsAuthenticator}}, we validate that a > certificate is valid by looking at the identities inside the > certificate and making sure the identity exists in the identity to role table. > In some situations we may want to restrict the certificates > we accept by rejecting certificates older than x amount of days. Some > certificates can be generated with long expiration dates, > and this might be undesired when you want to protect against potential > certificates being compromised. For that reason, it is > important to add an option, that when configured, we can limit the age of the > certificate we accept for mTLS authentication. > When enabled, this will force clients to have to renew certificates more > frequently, reducing the exposure of a Cassandra cluster > to leaked certificates. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org