[ https://issues.apache.org/jira/browse/CASSANDRA-14295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joshua McKenzie updated CASSANDRA-14295: ---------------------------------------- Priority: Minor (was: Major) > no ssl hostname validation in cqlsh > ----------------------------------- > > Key: CASSANDRA-14295 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14295 > Project: Cassandra > Issue Type: Bug > Components: CQL > Reporter: Christian Becker > Priority: Minor > Labels: Security > > In order to validate certificates properly the python driver requires > {{check_hostname}} to be set. > [https://github.com/datastax/python-driver/blob/master/cassandra/cluster.py#L558-L562] > However it is not available as a setting in cqlsh: > [https://github.com/apache/cassandra/blob/trunk/pylib/cqlshlib/sslhandling.py#L86-L89] > I noticed this because cqlsh is connecting to 127.0.0.1 per default, but the > configured certificate is just containing the hostname and the local ip. The > connection was always successful. But when adding {{check_hostname}} to > {{cqlshlib/sslhandling.py}} the validation works as expected: > current behaviour: > {code:java} > # cqlsh --ssl > Connected to ****-cassandra at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4] > Use HELP for help. > ****@cqlsh>{code} > expected: > {code:java} > # cqlsh --ssl > Connection error: ('Unable to connect to any servers', {'127.0.0.1': > CertificateError("hostname '127.0.0.1' doesn't match '****'",)}){code} > > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org