[
https://issues.apache.org/jira/browse/CASSANDRA-10970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matthias Brandt updated CASSANDRA-10970:
----------------------------------------
Description:
I've set up server_encryption_options as well as client_encryption_options. In
both settings, I use the same keystore with an wild-card SSL certificate in it.
It is signed by our own CA, which root certificate is in the configured
truststore:
{code}
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/conf/wildcard-cert.keystore
keystore_password: ""
truststore: /etc/cassandra/conf/my-cacerts
truststore_password: changeit
require_client_auth: true
client_encryption_options:
enabled: true
keystore: /etc/cassandra/conf/wildcard-cert.keystore
keystore_password: ""
require_client_auth: false
{code}
The certifcate's subject is:
{code}CN=*.my.domain.com,OU=my unit,O=my org{code}
When I deploy this setting on a server which domain is
node1.my.*other-domain*.com a connection via cqlsh wrongly works. Additionally,
the inter-node connection between other nodes in this wrong domain also works.
I would expect that the connection would fail with a meaningful error message.
was:
I've set up server_encryption_options as well as client_encryption_options. In
both settings, I use the same keystore with an wild-card SSL certificate in it.
It is signed by our own CA, which root certificate is in the configured
truststore:
{code}
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/conf/wildcard-cert.keystore
keystore_password: ""
truststore: /etc/cassandra/conf/hpo-cacerts
truststore_password: changeit
require_client_auth: true
client_encryption_options:
enabled: true
keystore: /etc/cassandra/conf/wildcard-cert.keystore
keystore_password: ""
require_client_auth: false
{code}
The certifcate's subject is:
{code}CN=*.my.domain.com,OU=my unit,O=my org{code}
When I deploy this setting on a server which domain is
node1.my.*other-domain*.com a connection via cqlsh wrongly works. Additionally,
the inter-node connection between other nodes in this wrong domain also works.
I would expect that the connection would fail with a meaningful error message.
> SSL/TLS: Certificate Domain is ignored
> --------------------------------------
>
> Key: CASSANDRA-10970
> URL: https://issues.apache.org/jira/browse/CASSANDRA-10970
> Project: Cassandra
> Issue Type: Bug
> Reporter: Matthias Brandt
>
> I've set up server_encryption_options as well as client_encryption_options.
> In both settings, I use the same keystore with an wild-card SSL certificate
> in it. It is signed by our own CA, which root certificate is in the
> configured truststore:
> {code}
> server_encryption_options:
> internode_encryption: all
> keystore: /etc/cassandra/conf/wildcard-cert.keystore
> keystore_password: ""
> truststore: /etc/cassandra/conf/my-cacerts
> truststore_password: changeit
> require_client_auth: true
> client_encryption_options:
> enabled: true
> keystore: /etc/cassandra/conf/wildcard-cert.keystore
> keystore_password: ""
> require_client_auth: false
> {code}
> The certifcate's subject is:
> {code}CN=*.my.domain.com,OU=my unit,O=my org{code}
> When I deploy this setting on a server which domain is
> node1.my.*other-domain*.com a connection via cqlsh wrongly works.
> Additionally, the inter-node connection between other nodes in this wrong
> domain also works.
> I would expect that the connection would fail with a meaningful error message.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
