[jira] [Commented] (CASSANDRA-19180) Support reloading certificate stores in cassandra-java-driver

Tue, 06 Feb 2024 07:54:04 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-19180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17814877#comment-17814877
 ] 

Brandon Williams commented on CASSANDRA-19180:
----------------------------------------------

Those two +1s are enough in my mind, but I understand you need one so take 
mine: +1.

> Support reloading certificate stores in cassandra-java-driver
> -------------------------------------------------------------
>
>                 Key: CASSANDRA-19180
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-19180
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Client/java-driver
>            Reporter: Abe Ratnofsky
>            Assignee: Abe Ratnofsky
>            Priority: Normal
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> Currently, apache/cassandra-java-driver does not reload SSLContext when the 
> underlying certificate store files change. When the DefaultSslEngineFactory 
> (and the other factories) are set up, they build a fixed instance of 
> javax.net.ssl.SSLContext that doesn't change: 
> https://github.com/apache/cassandra-java-driver/blob/12e3e3ea027c51c5807e5e46ba542f894edfa4e7/core/src/main/java/com/datastax/oss/driver/internal/core/ssl/DefaultSslEngineFactory.java#L74
> This fixed SSLContext is used to negotiate SSL with the cluster, and if a 
> keystore is reloaded on disk it isn't picked up by the driver, and future 
> reconnections will fail if the keystore certificates have expired by the time 
> they're used to handshake a new connection.
> We should reload client certificates so that applications that provide them 
> can use short-lived certificates and not require a bounce to pick up new 
> certificates. This is especially relevant in a world with CASSANDRA-18554 and 
> broad use of mTLS.
> I have a patch for this that is nearly ready. Now that the project has moved 
> under apache/ - who can I work with to understand how CI works now?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to