Updated Branches: refs/heads/cassandra-1.2 0d6131c40 -> 4460e2865
Add support for SSL sockets to use client certificate authentication. patch by Steven Franklin and Vijay for CASSANDRA-5120 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/4460e286 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/4460e286 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/4460e286 Branch: refs/heads/cassandra-1.2 Commit: 4460e2865dabb1d11950c04b5a4c9b79a12301e1 Parents: 0d6131c Author: Vijay Parthasarathy <[email protected]> Authored: Mon Jan 7 15:58:31 2013 -0800 Committer: Vijay Parthasarathy <[email protected]> Committed: Mon Jan 7 15:58:31 2013 -0800 ---------------------------------------------------------------------- conf/cassandra.yaml | 2 ++ .../apache/cassandra/config/EncryptionOptions.java | 1 + .../org/apache/cassandra/security/SSLFactory.java | 1 + .../cassandra/thrift/CustomTThreadPoolServer.java | 1 + .../org/apache/cassandra/transport/Server.java | 3 ++- 5 files changed, 7 insertions(+), 1 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/conf/cassandra.yaml ---------------------------------------------------------------------- diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml index f2be64a..364bdd7 100644 --- a/conf/cassandra.yaml +++ b/conf/cassandra.yaml @@ -623,6 +623,7 @@ server_encryption_options: # algorithm: SunX509 # store_type: JKS # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] + # require_client_auth: false # enable or disable client/server encryption. client_encryption_options: @@ -634,6 +635,7 @@ client_encryption_options: # algorithm: SunX509 # store_type: JKS # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] + # require_client_auth: false # internode_compression controls whether traffic between nodes is # compressed. http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/config/EncryptionOptions.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java index b8a5a91..fe07f68 100644 --- a/src/java/org/apache/cassandra/config/EncryptionOptions.java +++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java @@ -27,6 +27,7 @@ public abstract class EncryptionOptions public String protocol = "TLS"; public String algorithm = "SunX509"; public String store_type = "JKS"; + public Boolean require_client_auth = false; public static class ClientEncryptionOptions extends EncryptionOptions { http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/security/SSLFactory.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java index 5e64c43..da8a3f4 100644 --- a/src/java/org/apache/cassandra/security/SSLFactory.java +++ b/src/java/org/apache/cassandra/security/SSLFactory.java @@ -55,6 +55,7 @@ public final class SSLFactory serverSocket.setReuseAddress(true); String[] suits = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites); serverSocket.setEnabledCipherSuites(suits); + serverSocket.setNeedClientAuth(options.require_client_auth); serverSocket.bind(new InetSocketAddress(address, port), 100); return serverSocket; } http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java index f6ab1f7..0a456b9 100644 --- a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java +++ b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java @@ -249,6 +249,7 @@ public class CustomTThreadPoolServer extends TServer logger.info("enabling encrypted thrift connections between client and server"); TSSLTransportParameters params = new TSSLTransportParameters(clientEnc.protocol, clientEnc.cipher_suites); params.setKeyStore(clientEnc.keystore, clientEnc.keystore_password); + params.requireClientAuth(clientEnc.require_client_auth); TServerSocket sslServer = TSSLTransportFactory.getServerSocket(addr.getPort(), 0, addr.getAddress(), params); serverTransport = new TCustomServerSocket(sslServer.getServerSocket(), args.keepAlive, args.sendBufferSize, args.recvBufferSize); } http://git-wip-us.apache.org/repos/asf/cassandra/blob/4460e286/src/java/org/apache/cassandra/transport/Server.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/transport/Server.java b/src/java/org/apache/cassandra/transport/Server.java index 0b43a4a..e999128 100644 --- a/src/java/org/apache/cassandra/transport/Server.java +++ b/src/java/org/apache/cassandra/transport/Server.java @@ -249,7 +249,8 @@ public class Server implements CassandraDaemon.Server SSLEngine sslEngine = sslContext.createSSLEngine(); sslEngine.setUseClientMode(false); sslEngine.setEnabledCipherSuites(encryptionOptions.cipher_suites); - + sslEngine.setNeedClientAuth(encryptionOptions.require_client_auth); + SslHandler sslHandler = new SslHandler(sslEngine); sslHandler.setIssueHandshake(true); ChannelPipeline pipeline = super.getPipeline();
