[
https://issues.apache.org/jira/browse/CASSANDRA-15038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16780242#comment-16780242
]
Dinesh Joshi commented on CASSANDRA-15038:
------------------------------------------
client auth setting controls whether the peer sends its certificate to the
server for verification. IIRC, even when client auth is disabled, we need the
trust store to verify SSL certificate of peers when we make outbound
connections. So we have to load it regardless of the setting. This is
fundamentally different from what you're asking for. What you're really asking
for is ignoring certificate verification errors.
> Provide an option to Disable Truststore CA check for internode_encryption
> -------------------------------------------------------------------------
>
> Key: CASSANDRA-15038
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15038
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/Encryption
> Reporter: Jai Bheemsen Rao Dhanwada
> Priority: Major
>
> Hello,
> The current internode encryption between cassandra nodes uses a keystore and
> truststore. However there are some use-case where users are okay to allow any
> one to trust as long as they have a keystore. This is requirement is only for
> encryption but not trusting the identity.
> It would be good to have an option to disable the Truststore CA check for the
> internode_encryption.
>
> In the current cassandra.yaml, there is no way to comment/disable the
> truststore and truststore password and allow anyone to connect with a
> certificate.
>
> though the require_client_auth: is set to false, cassandra fails to startup
> if we disable truststore and truststore_password as it look for default
> truststore under `conf/.truststore`
>
> {code:java}
> server_encryption_options:
> internode_encryption: all
> keystore: /etc/cassandra/keystore.jks
> keystore_password: mykeypass
> truststore: /etc/cassandra/truststore.jks
> truststore_password: truststorepass
> # More advanced defaults below:
> # protocol: TLS
> # algorithm: SunX509
> # store_type: JKS
> # cipher_suites:
> [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
> # require_client_auth: false
> # require_endpoint_verification: false{code}
> {noformat}
> Caused by: java.io.IOException: Error creating the initializing the SSL
> Context
> at
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:201)
> ~[apache-cassandra-3.11.3.jar:3.11.3]
> at
> org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:61)
> ~[apache-cassandra-3.11.3.jar:3.11.3]
> at
> org.apache.cassandra.net.MessagingService.getServerSockets(MessagingService.java:708)
> ~[apache-cassandra-3.11.3.jar:3.11.3]
> ... 8 common frames omitted
> Caused by: java.io.FileNotFoundException: conf/.truststore (Permission denied)
> at java.io.FileInputStream.open0(Native Method) ~[na:1.8.0_151]
> at java.io.FileInputStream.open(FileInputStream.java:195) ~[na:1.8.0_151]
> at java.io.FileInputStream.<init>(FileInputStream.java:138) ~[na:1.8.0_151]
> at java.io.FileInputStream.<init>(FileInputStream.java:93) ~[na:1.8.0_151]
> at
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:168)
> ~[apache-cassandra-3.11.3.jar:3.11.3]
> ... 10 common frames omitted{noformat}
>
> Cassandra Version: 3.11.3
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
