[ https://issues.apache.org/jira/browse/CASSANDRA-5120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13588564#comment-13588564 ]
Ryan McGuire commented on CASSANDRA-5120: ----------------------------------------- I have verified that Cassandra always reject a client certificate when *require_client_auth = true*. It cannot verify a key that it does not know about. If there is currently a way of installing my client certificate on the server, I am not aware of it. To verify this behaviour, I created my own example SSL server using stunnel so that I could see how this would work with a server that does accept client certificates. stunnel has the option to verify client certificates with it's verify=3 option: {code} cert = server.pem setuid = ryan pid = /tmp/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 verify = 3 CAfile = certs/myca.crt CApath = /home/ryan/stunnel_keys/acceptable foreground = yes debug = 7 [ryan] accept = 9999 connect = 127.0.0.1:9998 {code} I can connect to this example server using OpenSSL's client: {code} openssl s_client -connect 127.0.0.1:9999 -cert client.pem {code} With the certificate it connects, without it it doesn't. The same command on port 9160 can be used to connect to Cassandra over SSL with client certificate. With *require_client_auth=false*, the connection is always allowed whether I use a client certificate or not. With *require_client_auth=true* the connection is always terminated, regardless if I specify a client certificate because the server does not know about my certificate. If Cassandra were to know about my certificate, I suspect this would work. > Add support for SSL sockets to use client certificate authentication. > --------------------------------------------------------------------- > > Key: CASSANDRA-5120 > URL: https://issues.apache.org/jira/browse/CASSANDRA-5120 > Project: Cassandra > Issue Type: Improvement > Components: Core > Affects Versions: 1.2.0 > Reporter: Steven Franklin > Assignee: Steven Franklin > Priority: Minor > Fix For: 1.2.1 > > Attachments: trunk-5120.txt > > > Add an option to EncryptionOptions to require client certication > authentication. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira