[
https://issues.apache.org/jira/browse/CASSANDRA-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16867922#comment-16867922
]
John Sanda commented on CASSANDRA-15132:
----------------------------------------
I went back and looked at this again. I think it would better to reduce the
logging level to DEBUG or altogether remove the log statement instead of the
check that I added in my branch.
[~djoshi3] what do you think?
> warning should not be logged when client auth is disabled for client
> encryption
> -------------------------------------------------------------------------------
>
> Key: CASSANDRA-15132
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15132
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/Encryption
> Reporter: John Sanda
> Priority: Normal
>
> CASSANDRA-14652 caused a regression for client/native transport encryption.
> It broken one-way TLS authentication where only the client authenticates the
> coordinator node's certificate chain. This would be configured in
> cassandra.yaml as such:
> {noformat}
> client_encryption_options:
> enabled: true
> keystore: /path/to/keystore
> keystore_password: my_keystore_password
> optional: false
> require_client_auth: false
> {noformat}
> With the changes in CASSANDRA-14652, ServerConnection.java always assumes
> that there will always be a client certificate chain, which will not be the
> case with the above configuration.
> Here is the error that shows up in the logs:
> {noformat}
> ERROR [Native-Transport-Requests-1] 2019-05-17 18:20:20,016
> ServerConnection.java:147 - Failed to get peer certificates for peer
> /127.0.0.1:50736
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at
> sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:501)
> ~[na:1.8.0_202]
> at
> org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:143)
> [main/:na]
> at
> org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:127)
> [main/:na]
> at
> org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:75)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:566)
> [main/:na]
> at
> org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410)
> [main/:na]
> at
> io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
> [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357)
> [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:35)
> [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:348)
> [netty-all-4.0.44.Final.jar:4.0.44.Final]
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> [na:1.8.0_202]
> at
> org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162)
> [main/:na]
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
