[
https://issues.apache.org/jira/browse/CASSANDRA-13404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16450025#comment-16450025
]
Per Otterström commented on CASSANDRA-13404:
--------------------------------------------
Taking another stab at this ticket. Attaching an updated patch set and some
dtests to go with that.
Short recap:
* I want to add hostname validation on server side to verify client IP matches
SAN field in client certificate.
* Several concerns were raised on initial patch, "does it add value", "setting
incoming IP on the SSLHandler", "added complexity for users".
* A second patch based on a plug-in approach was created. While this approach
has some interesting benefits, it is a bit overkill for this.
Some comments on the updated patch:
* SslHandler will get client host info only when endpoint-verification is
enabled, very similar to the setup of server-server communication. When
require_endpoint_verification option is not enabled, behavior will remain
unchanged.
* The require_endpoint_verification is already accepted for client-server
configuration, just currently unused and silently discared. Adding this
property to the client_encryption_options section should be manageble for our
users in terms of complexity.
* The fact that this patch-set give the wanted effect is verified with the
provided dtests.
* IMO the value is well argued in previous comments. When tickets like
CASSANDRA-13971 gets merged, a growing number of useres will have access to an
infrastructure that manages keys and certificates. Then hostname validation
will be a common task.
Patch for trunk: https://github.com/eperott/cassandra/tree/13404-trunk
Dtests: https://github.com/eperott/cassandra-dtest/tree/13404-trunk
CircleCI (unit tests only):
https://circleci.com/workflow-run/c29a6caf-1eeb-408d-a424-1ffbcaf9477d
> Hostname verification for client-to-node encryption
> ---------------------------------------------------
>
> Key: CASSANDRA-13404
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13404
> Project: Cassandra
> Issue Type: New Feature
> Reporter: Jan Karlsson
> Assignee: Per Otterström
> Priority: Major
> Fix For: 4.x
>
> Attachments: 13404-trunk-v2.patch, 13404-trunk.txt
>
>
> Similarily to CASSANDRA-9220, Cassandra should support hostname verification
> for client-node connections.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
