Per Otterström commented on CASSANDRA-14223:

It's fairly straight forward to create a custom TrustManager. I could create a 
simplistic example to demonstrate. We're installing custom trust managers in 
our deployments at Ericsson using the procedure that [~spo...@gmail.com] 
described above. I don't think we should invent our own way to achieve this, 
when there is a standardized way.

[~ronblechman] I believe you should be able to achieve what you want using this 
procedure. Rigth?

Currently it is not possible to get hostname validation (custom TrustManager or 
not), but that should be solved by CASSANDRA-13404 if we agree to merge it.

[~jasobrown] I'm not sure I share your concern. A custom TrustManager could 
maintain internal state, such as updating lists of revoced certificates, in a 
separete thread, right? It doesn't have to happen on the 
accept-thread/event-loop-thread? I will have a look at your patch to better 

> Provide ability to do custom certificate validations (e.g. hostname 
> validation, certificate revocation checks)
> --------------------------------------------------------------------------------------------------------------
>                 Key: CASSANDRA-14223
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14223
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Configuration
>            Reporter: Ron Blechman
>            Priority: Major
>              Labels: security
>             Fix For: 4.x
> Cassandra server should be to be able do additional certificate validations, 
> such as hostname validatation and certificate revocation checking against 
> CRLs and/or using OCSP. 
> One approach couild be to have SSLFactory use SSLContext.getDefault() instead 
> of forcing the creation of a new SSLContext using SSLContext.getInstance().  
> Using the default SSLContext would allow a user to plug in their own custom 
> SSLSocketFactory via the java.security properties file. The custom 
> SSLSocketFactory could create a default SSLContext  that was customized to do 
> any extra validation such as certificate revocation, host name validation, 
> etc.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to