[
https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17523805#comment-17523805
]
Maulin Vasavada edited comment on CASSANDRA-17513 at 4/19/22 12:09 AM:
-----------------------------------------------------------------------
[~Jyothsnakonisa] and [~djoshi] - would it be possible to put both private keys
- server and client in the same keystore? I've never tried it so not sure but
would Java be able to use correct certificate based on whether it requires
Server certificate or a Client certificate?
I think writing up [a sample https
server/client|https://bugs.openjdk.java.net/browse/JDK-8262186] locally could
help test/verify that. -However, so far from Java code standpoint I am not able
to locate the place where it checks the OID/extendedKeyUsage field for
client/server cert reading from a keystore.- I think I found [the
code|https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java#L566]
in OpenJDK 8 that checks for the extendedKeyUsage on a certificate while
choosing from the keystore. So according to this it should be able to
differentiate between client/server certs from the same keystore.
was (Author: maulin.vasavada):
[~Jyothsnakonisa] and [~djoshi] - would it be possible to put both private keys
- server and client in the same keystore? I've never tried it so not sure but
would Java be able to use correct certificate based on whether it requires
Server certificate or a Client certificate?
I think writing up [a sample https
server/client|https://bugs.openjdk.java.net/browse/JDK-8262186] locally could
help test/verify that. -However, so far from Java code standpoint I am not able
to locate the place where it checks the OID/extendedKeyUsage field for
client/server cert reading from a keystore.- I think I found [the
code|https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java#L566]
in OpenJDK 8 that checks for the extendedKeyUsage on a certificate while
choosing from the keystore.
> Add new property to pass keystore for outbound connections
> ----------------------------------------------------------
>
> Key: CASSANDRA-17513
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17513
> Project: Cassandra
> Issue Type: Bug
> Reporter: Jyothsna Konisa
> Assignee: Jyothsna Konisa
> Priority: Normal
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> Same keystore is being set for both Inbound and outbound connections but we
> should use a keystore with server certificate for Inbound connections and a
> keystore with client certificates for outbound connections. So we should add
> a new property in Cassandra.yaml to pass outbound keystore and use it in
> SSLContextFactory for creating outbound SSL context.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
