[ 
https://issues.apache.org/jira/browse/CASSANDRA-14223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16479313#comment-16479313
 ] 

Ron Blechman edited comment on CASSANDRA-14223 at 5/17/18 4:29 PM:
-------------------------------------------------------------------

I haven't tried this on the 4.0 trunk.
 I have been working solely with Cassandra 3.11.2. and have been testing this 
with CRLs that are pre-fetched - which I believe avoids the concerns you 
mentioned about blocking. My comments about OCSP are looking more towards the 
future - as my first priority is to have this work with CRLs. I have tested 
this with OCSP and dynamically downloaded CRLS, but perhaps not rigorously 
enough to run into the issues you expressed concern about.

+{color:#0066cc}Per Otterström{color}+ - I would need further details for me to 
answer whether what you are suggesting would work for us or not. Do you know if 
what you are suggesting work with Bouncy Castle in FIPS mode?


was (Author: ronblechman):
I haven't tried this on the 4.0 trunk.
I have been working solely with Cassandra 3.11.2. and have been testing this 
with CRLs that are pre-fetched - which I believe avoids the concerns you 
mentioned about blocking. My comments about OCSP are looking more towards the 
future - as my first priority is to have this work with CRLs. I have tested 
this with OCSP and dynamically downloaded CRLS, but perhaps not rigorously 
enough to run into the issues you expressed concern about.

> Provide ability to do custom certificate validations (e.g. hostname 
> validation, certificate revocation checks)
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-14223
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14223
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Configuration
>            Reporter: Ron Blechman
>            Priority: Major
>              Labels: security
>             Fix For: 4.x
>
>
> Cassandra server should be to be able do additional certificate validations, 
> such as hostname validatation and certificate revocation checking against 
> CRLs and/or using OCSP. 
> One approach couild be to have SSLFactory use SSLContext.getDefault() instead 
> of forcing the creation of a new SSLContext using SSLContext.getInstance().  
> Using the default SSLContext would allow a user to plug in their own custom 
> SSLSocketFactory via the java.security properties file. The custom 
> SSLSocketFactory could create a default SSLContext  that was customized to do 
> any extra validation such as certificate revocation, host name validation, 
> etc.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to