Christian Becker created CASSANDRA-14295: --------------------------------------------
Summary: no ssl hostname validation in cqlsh Key: CASSANDRA-14295 URL: https://issues.apache.org/jira/browse/CASSANDRA-14295 Project: Cassandra Issue Type: Bug Reporter: Christian Becker In order to validate certificates properly the python driver requires {{check_hostname}} to be set. [https://github.com/datastax/python-driver/blob/master/cassandra/cluster.py#L558-L562] However it is not available as a setting in cqlsh: [https://github.com/apache/cassandra/blob/trunk/pylib/cqlshlib/sslhandling.py#L86-L89] I noticed this because cqlsh is connecting to 127.0.0.1 per default, but the configured certificate is just containing the hostname and the local ip. The connection was always successful. But when adding {{check_hostname}} to {{cqlshlib/sslhandling.py}} the validation works as expected: current behaviour: {code:java} # cqlsh --ssl Connected to ****-cassandra at 127.0.0.1:9042. [cqlsh 5.0.1 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. ****@cqlsh>{code} expected: {code:java} # cqlsh --ssl Connection error: ('Unable to connect to any servers', {'127.0.0.1': CertificateError("hostname '127.0.0.1' doesn't match '****'",)}){code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org