[jira] [Commented] (CASSANDRA-15891) provide a configuration option such as endpoint_verification_method

Wed, 04 Sep 2024 15:58:27 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-15891?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17879388#comment-17879388
 ] 

Brandon Williams commented on CASSANDRA-15891:
----------------------------------------------

It may be better to use 
https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-34%3A+mTLS+based+client+and+internode+authenticators
 instead at this point.

> provide a configuration option such as endpoint_verification_method
> -------------------------------------------------------------------
>
>                 Key: CASSANDRA-15891
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15891
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Messaging/Internode
>            Reporter: Thanh
>            Priority: Normal
>             Fix For: 5.x
>
>
> With cassandra-9220, it's possible to configure endpoint/hostname 
> verification when enabling internode encryption.  However, you don't have any 
> control over what endpoint is used for the endpoint verification; instead, 
> cassandra will automatically try to use node IP (not node hostname) for 
> endpoint verification, so if your node certificates don't include the IP in 
> the ssl certificate's SAN list, then you'll get an error like:
> {code:java}
> ERROR [MessagingService-Outgoing-/10.10.88.194-Gossip] 2018-11-13 
> 10:20:26,903 OutboundTcpConnection.java:606 - SSL handshake error for 
> outbound connection to 50cc97c1[SSL_NULL_WITH_NULL_NULL: 
> Socket[addr=/<NODE_IP_ADDRESS>,port=7001,localport=47684]] 
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
> No subject alternative names matching IP address <NODE_IP_ADDRESS> found 
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) {code}
> From what I've seen, most orgs will not have node IPs in their certs.
> So, it will be best if cassandra would provide another configuration option 
> such as *{{endpoint_verification_method}}* which you could set to "ip" or 
> "fqdn" or something else (eg "hostname_alias" if for whatever reason the org 
> doesn't want to use fqdn for endpoint verification).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to