[ 
https://issues.apache.org/jira/browse/CASSANDRA-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Joshua McKenzie updated CASSANDRA-14295:
----------------------------------------
    Component/s: CQL

> no ssl hostname validation in cqlsh
> -----------------------------------
>
>                 Key: CASSANDRA-14295
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14295
>             Project: Cassandra
>          Issue Type: Bug
>          Components: CQL
>            Reporter: Christian Becker
>            Priority: Major
>              Labels: Security
>
> In order to validate certificates properly the python driver requires 
> {{check_hostname}} to be set.
> [https://github.com/datastax/python-driver/blob/master/cassandra/cluster.py#L558-L562]
> However it is not available as a setting in cqlsh:
> [https://github.com/apache/cassandra/blob/trunk/pylib/cqlshlib/sslhandling.py#L86-L89]
> I noticed this because cqlsh is connecting to 127.0.0.1 per default, but the 
> configured certificate is just containing the hostname and the local ip. The 
> connection was always successful. But when adding {{check_hostname}} to 
> {{cqlshlib/sslhandling.py}} the validation works as expected:
> current behaviour:
> {code:java}
> # cqlsh --ssl
> Connected to ****-cassandra at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4]
> Use HELP for help.
> ****@cqlsh>{code}
> expected:
> {code:java}
> # cqlsh --ssl
> Connection error: ('Unable to connect to any servers', {'127.0.0.1': 
> CertificateError("hostname '127.0.0.1' doesn't match '****'",)}){code}
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to