[
https://issues.apache.org/jira/browse/CASSANDRA-5120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13588564#comment-13588564
]
Ryan McGuire edited comment on CASSANDRA-5120 at 2/27/13 6:02 PM:
------------------------------------------------------------------
I have verified that Cassandra always rejects a client certificate when
*require_client_auth = true*. It cannot verify a key that it does not know
about. If there is currently a way of installing my client certificate on the
server, I am not aware of it.
To verify this behaviour, I created my own example SSL server using stunnel so
that I could see how this would work with a server that does accept client
certificates. stunnel has the option to verify client certificates with it's
verify=3 option:
{code}
cert = server.pem
setuid = ryan
pid = /tmp/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CAfile = certs/myca.crt
CApath = /home/ryan/stunnel_keys/acceptable
foreground = yes
debug = 7
[ryan]
accept = 9999
connect = 127.0.0.1:9998
{code}
I can connect to this example server using OpenSSL's client:
{code}
openssl s_client -connect 127.0.0.1:9999 -cert client.pem
{code}
With the certificate it connects, without it it doesn't.
The same command on port 9160 can be used to connect to Cassandra over SSL with
client certificate. With *require_client_auth=false*, the connection is always
allowed whether I use a client certificate or not. With
*require_client_auth=true* the connection is always terminated, regardless if I
specify a client certificate because the server does not know about my
certificate.
If Cassandra were to know about my certificate, I suspect this would work.
was (Author: enigmacurry):
I have verified that Cassandra always reject a client certificate when
*require_client_auth = true*. It cannot verify a key that it does not know
about. If there is currently a way of installing my client certificate on the
server, I am not aware of it.
To verify this behaviour, I created my own example SSL server using stunnel so
that I could see how this would work with a server that does accept client
certificates. stunnel has the option to verify client certificates with it's
verify=3 option:
{code}
cert = server.pem
setuid = ryan
pid = /tmp/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CAfile = certs/myca.crt
CApath = /home/ryan/stunnel_keys/acceptable
foreground = yes
debug = 7
[ryan]
accept = 9999
connect = 127.0.0.1:9998
{code}
I can connect to this example server using OpenSSL's client:
{code}
openssl s_client -connect 127.0.0.1:9999 -cert client.pem
{code}
With the certificate it connects, without it it doesn't.
The same command on port 9160 can be used to connect to Cassandra over SSL with
client certificate. With *require_client_auth=false*, the connection is always
allowed whether I use a client certificate or not. With
*require_client_auth=true* the connection is always terminated, regardless if I
specify a client certificate because the server does not know about my
certificate.
If Cassandra were to know about my certificate, I suspect this would work.
> Add support for SSL sockets to use client certificate authentication.
> ---------------------------------------------------------------------
>
> Key: CASSANDRA-5120
> URL: https://issues.apache.org/jira/browse/CASSANDRA-5120
> Project: Cassandra
> Issue Type: Improvement
> Components: Core
> Affects Versions: 1.2.0
> Reporter: Steven Franklin
> Assignee: Steven Franklin
> Priority: Minor
> Fix For: 1.2.1
>
> Attachments: trunk-5120.txt
>
>
> Add an option to EncryptionOptions to require client certication
> authentication.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
