[
https://issues.apache.org/jira/browse/CASSANDRA-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeremy Hanna updated CASSANDRA-14295:
-------------------------------------
Labels: Security (was: )
> no ssl hostname validation in cqlsh
> -----------------------------------
>
> Key: CASSANDRA-14295
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14295
> Project: Cassandra
> Issue Type: Bug
> Reporter: Christian Becker
> Priority: Major
> Labels: Security
>
> In order to validate certificates properly the python driver requires
> {{check_hostname}} to be set.
> [https://github.com/datastax/python-driver/blob/master/cassandra/cluster.py#L558-L562]
> However it is not available as a setting in cqlsh:
> [https://github.com/apache/cassandra/blob/trunk/pylib/cqlshlib/sslhandling.py#L86-L89]
> I noticed this because cqlsh is connecting to 127.0.0.1 per default, but the
> configured certificate is just containing the hostname and the local ip. The
> connection was always successful. But when adding {{check_hostname}} to
> {{cqlshlib/sslhandling.py}} the validation works as expected:
> current behaviour:
> {code:java}
> # cqlsh --ssl
> Connected to ****-cassandra at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4]
> Use HELP for help.
> ****@cqlsh>{code}
> expected:
> {code:java}
> # cqlsh --ssl
> Connection error: ('Unable to connect to any servers', {'127.0.0.1':
> CertificateError("hostname '127.0.0.1' doesn't match '****'",)}){code}
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
