[ https://issues.apache.org/jira/browse/CASSANDRA-9220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tyler Hobbs updated CASSANDRA-9220: ----------------------------------- Reviewer: Robert Stupp (was: Tyler Hobbs) > Hostname verification for node-to-node encryption > ------------------------------------------------- > > Key: CASSANDRA-9220 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9220 > Project: Cassandra > Issue Type: New Feature > Reporter: Stefan Podkowinski > Assignee: Stefan Podkowinski > Fix For: 3.x > > Attachments: sslhostverification-2.0.patch > > > This patch will will introduce a new ssl server option: > {{require_endpoint_verification}}. > Setting it will enable hostname verification for inter-node SSL > communication. This is necessary to prevent man-in-the-middle attacks when > building a trust chain against a common CA. See > [here|https://tersesystems.com/2014/03/23/fixing-hostname-verification/] for > background details. > Clusters that solely rely on importing all node certificates into each trust > store (as described > [here|http://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html]) > are not effected. > Clusters that use the same common CA to sign node certificates are > potentially affected. In case the CA signing process will allow other parties > to generate certs for different purposes, those certificates could in turn be > used for MITM attacks. The provided patch will allow to enable hostname > verification to make sure not only to check if the cert is valid but also if > it has been created for the host that we're about to connect. > Corresponding dtest: [Test for > CASSANDRA-9220|https://github.com/riptano/cassandra-dtest/pull/237] > Github: > 2.0 -> > [diff|https://github.com/apache/cassandra/compare/cassandra-2.0...spodkowinski:feat/sslhostverification], > > [patch|https://github.com/apache/cassandra/compare/cassandra-2.0...spodkowinski:feat/sslhostverification.patch], > Trunk -> > [diff|https://github.com/apache/cassandra/compare/trunk...spodkowinski:feat/sslhostverification], > > [patch|https://github.com/apache/cassandra/compare/trunk...spodkowinski:feat/sslhostverification.patch] > Related patches from the client perspective: > [Java|https://datastax-oss.atlassian.net/browse/JAVA-716], > [Python|https://datastax-oss.atlassian.net/browse/PYTHON-296] -- This message was sent by Atlassian JIRA (v6.3.4#6332)