[
https://issues.apache.org/jira/browse/CASSANDRA-15891?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17879387#comment-17879387
]
Raymond Huffman commented on CASSANDRA-15891:
---------------------------------------------
I would also find this feature useful. I've done some investigating, and it's
not particularly straightforward to get the SSL handshake logic to check a
hostname instead of an IP address. One way to get it to work is for the
InetAddress object to have an `originalHostName` defined, which currently will
be null.
I've gotten this to work with the following logic that uses reflection
public static void setHostname(InetAddress address, String hostname) {
Object inetAddressHolder = MethodUtils.invokeMethod(address, true,
"holder");
FieldUtils.writeField(inetAddressHolder, "hostName", hostname,
true);
FieldUtils.writeField(inetAddressHolder, "originalHostName",
hostname, true);
}
as well as some custom logic to resolve the hostname for an InetAddress.
Reverse DNS does not work in Kubernetes, so we implemented something custom to
figure out the hostname based on a know hostname formula in our infra.
I believe there is a security issue with simply performing a reverse DNS
lookup, as it requires that you can trust the DNS server, which is not always
the case.
> provide a configuration option such as endpoint_verification_method
> -------------------------------------------------------------------
>
> Key: CASSANDRA-15891
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15891
> Project: Cassandra
> Issue Type: Improvement
> Components: Messaging/Internode
> Reporter: Thanh
> Priority: Normal
> Fix For: 5.x
>
>
> With cassandra-9220, it's possible to configure endpoint/hostname
> verification when enabling internode encryption. However, you don't have any
> control over what endpoint is used for the endpoint verification; instead,
> cassandra will automatically try to use node IP (not node hostname) for
> endpoint verification, so if your node certificates don't include the IP in
> the ssl certificate's SAN list, then you'll get an error like:
> {code:java}
> ERROR [MessagingService-Outgoing-/10.10.88.194-Gossip] 2018-11-13
> 10:20:26,903 OutboundTcpConnection.java:606 - SSL handshake error for
> outbound connection to 50cc97c1[SSL_NULL_WITH_NULL_NULL:
> Socket[addr=/<NODE_IP_ADDRESS>,port=7001,localport=47684]]
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
> No subject alternative names matching IP address <NODE_IP_ADDRESS> found
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) {code}
> From what I've seen, most orgs will not have node IPs in their certs.
> So, it will be best if cassandra would provide another configuration option
> such as *{{endpoint_verification_method}}* which you could set to "ip" or
> "fqdn" or something else (eg "hostname_alias" if for whatever reason the org
> doesn't want to use fqdn for endpoint verification).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
