Christian Becker created CASSANDRA-14295:
--------------------------------------------
Summary: no ssl hostname validation in cqlsh
Key: CASSANDRA-14295
URL: https://issues.apache.org/jira/browse/CASSANDRA-14295
Project: Cassandra
Issue Type: Bug
Reporter: Christian Becker
In order to validate certificates properly the python driver requires
{{check_hostname}} to be set.
[https://github.com/datastax/python-driver/blob/master/cassandra/cluster.py#L558-L562]
However it is not available as a setting in cqlsh:
[https://github.com/apache/cassandra/blob/trunk/pylib/cqlshlib/sslhandling.py#L86-L89]
I noticed this because cqlsh is connecting to 127.0.0.1 per default, but the
configured certificate is just containing the hostname and the local ip. The
connection was always successful. But when adding {{check_hostname}} to
{{cqlshlib/sslhandling.py}} the validation works as expected:
current behaviour:
{code:java}
# cqlsh --ssl
Connected to ****-cassandra at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
****@cqlsh>{code}
expected:
{code:java}
# cqlsh --ssl
Connection error: ('Unable to connect to any servers', {'127.0.0.1':
CertificateError("hostname '127.0.0.1' doesn't match '****'",)}){code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
