[
https://issues.apache.org/jira/browse/CASSANDRA-10970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15085916#comment-15085916
]
Michael Shuler commented on CASSANDRA-10970:
--------------------------------------------
bq. When I deploy this setting on a server which domain is
node1.my.other-domain.com a connection via cqlsh wrongly works. Additionally,
the inter-node connection between other nodes in this wrong domain also works.
Are you saying the system hostname of the server(s) is some other domain? That
should be fine. An SSL example where this is expected to work:
{noformat}
mshuler@hana:~$ host www.google.com | head -1
www.google.com has address 74.125.22.105
mshuler@hana:~$ host 74.125.22.105
105.22.125.74.in-addr.arpa domain name pointer qh-in-f105.1e100.net.
{noformat}
An SSL/TLS connection to https://www.google.com/ is really coming from the host
{{qh-in-f105.1e100.net}}, but the httpd service at that host describes itself
as {{www.google.com}} and provides a certificate for the same, even though the
host is really from the {{1e100.net}} domain.
Am I following your comment correctly? I think your desire to have this
connection fail is possibly incorrect. You provided a certificate, it validated
from your local CA, so the connections succeed, as expected.
> SSL/TLS: Certificate Domain is ignored
> --------------------------------------
>
> Key: CASSANDRA-10970
> URL: https://issues.apache.org/jira/browse/CASSANDRA-10970
> Project: Cassandra
> Issue Type: Bug
> Reporter: Matthias Brandt
>
> I've set up server_encryption_options as well as client_encryption_options.
> In both settings, I use the same keystore with an wild-card SSL certificate
> in it. It is signed by our own CA, which root certificate is in the
> configured truststore:
> {code}
> server_encryption_options:
> internode_encryption: all
> keystore: /etc/cassandra/conf/wildcard-cert.keystore
> keystore_password: ""
> truststore: /etc/cassandra/conf/hpo-cacerts
> truststore_password: changeit
> require_client_auth: true
> client_encryption_options:
> enabled: true
> keystore: /etc/cassandra/conf/wildcard-cert.keystore
> keystore_password: ""
> require_client_auth: false
> {code}
> The certifcate's subject is:
> {code}CN=*.my.domain.com,OU=my unit,O=my org{code}
> When I deploy this setting on a server which domain is
> node1.my.*other-domain*.com a connection via cqlsh wrongly works.
> Additionally, the inter-node connection between other nodes in this wrong
> domain also works.
> I would expect that the connection would fail with a meaningful error message.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
