[
https://issues.apache.org/jira/browse/CASSANDRA-15038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16780223#comment-16780223
]
Jai Bheemsen Rao Dhanwada commented on CASSANDRA-15038:
-------------------------------------------------------
In a way yes, but consider another use-case where I trying to setup SSL to
encrypt the messages in flight but I trust the members who try to join the
cluster. Agree, there are several ways to do it, but ask was why not make use
of cassandra configuration to do it when it's already present. (in this case
it's not working as expected)
> Provide an option to Disable Truststore CA check for internode_encryption
> -------------------------------------------------------------------------
>
> Key: CASSANDRA-15038
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15038
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/Encryption
> Reporter: Jai Bheemsen Rao Dhanwada
> Priority: Major
>
> Hello,
> The current internode encryption between cassandra nodes uses a keystore and
> truststore. However there are some use-case where users are okay to allow any
> one to trust as long as they have a keystore. This is requirement is only for
> encryption but not trusting the identity.
> It would be good to have an option to disable the Truststore CA check for the
> internode_encryption.
>
> In the current cassandra.yaml, there is no way to comment/disable the
> truststore and truststore password and allow anyone to connect with a
> certificate.
>
> though the require_client_auth: is set to false, cassandra fails to startup
> if we disable truststore and truststore_password as it look for default
> truststore under `conf/.truststore`
>
> {code:java}
> server_encryption_options:
> internode_encryption: all
> keystore: /etc/cassandra/keystore.jks
> keystore_password: mykeypass
> truststore: /etc/cassandra/truststore.jks
> truststore_password: truststorepass
> # More advanced defaults below:
> # protocol: TLS
> # algorithm: SunX509
> # store_type: JKS
> # cipher_suites:
> [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
> # require_client_auth: false
> # require_endpoint_verification: false{code}
> {noformat}
> Caused by: java.io.IOException: Error creating the initializing the SSL
> Context
> at
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:201)
> ~[apache-cassandra-3.11.3.jar:3.11.3]
> at
> org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:61)
> ~[apache-cassandra-3.11.3.jar:3.11.3]
> at
> org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:708)
> ~[apache-cassandra-3.11.3.jar:3.11.3]
> ... 8 common frames omitted
> Caused by: java.io.FileNotFoundException: conf/.truststore (Permission denied)
> at java.io.FileInputStream.open0(Native Method) ~[na:1.8.0_151]
> at java.io.FileInputStream.open(FileInputStream.java:195) ~[na:1.8.0_151]
> at java.io.FileInputStream.<init>(FileInputStream.java:138) ~[na:1.8.0_151]
> at java.io.FileInputStream.<init>(FileInputStream.java:93) ~[na:1.8.0_151]
> at
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:168)
> ~[apache-cassandra-3.11.3.jar:3.11.3]
> ... 10 common frames omitted{noformat}
>
> Cassandra Version: 3.11.3
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
