Repository: cassandra Updated Branches: refs/heads/trunk b6ff7f6c0 -> c9c9c4226
Hostname verification for node-to-node encryption patch by Stefan Podkowinski; reviewed by Robert Stupp for CASSANDRA-9220 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/c9c9c422 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/c9c9c422 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/c9c9c422 Branch: refs/heads/trunk Commit: c9c9c42263f1d477e45e9c2053bc1bbedc08bf8e Parents: b6ff7f6 Author: Stefan Podkowinski <j...@midnightdrift.com> Authored: Mon Mar 28 13:02:50 2016 +0200 Committer: Robert Stupp <sn...@snazy.de> Committed: Mon Mar 28 13:02:50 2016 +0200 ---------------------------------------------------------------------- CHANGES.txt | 1 + conf/cassandra.yaml | 1 + .../cassandra/config/EncryptionOptions.java | 1 + .../apache/cassandra/security/SSLFactory.java | 40 ++++++++++++++++---- 4 files changed, 35 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/c9c9c422/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 1a548d7..b80fdf3 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 3.6 + * Add require_endpoint_verification opt for internode encryption (CASSANDRA-9220) * Add auto import java.util for UDF code block (CASSANDRA-11392) * Add --hex-format option to nodetool getsstables (CASSANDRA-11337) * sstablemetadata should print sstable min/max token (CASSANDRA-7159) http://git-wip-us.apache.org/repos/asf/cassandra/blob/c9c9c422/conf/cassandra.yaml ---------------------------------------------------------------------- diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml index 9883533..4abe96e 100644 --- a/conf/cassandra.yaml +++ b/conf/cassandra.yaml @@ -906,6 +906,7 @@ server_encryption_options: # store_type: JKS # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] # require_client_auth: false + # require_endpoint_verification: false # enable or disable client/server encryption. client_encryption_options: http://git-wip-us.apache.org/repos/asf/cassandra/blob/c9c9c422/src/java/org/apache/cassandra/config/EncryptionOptions.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java index 526e356..d662871 100644 --- a/src/java/org/apache/cassandra/config/EncryptionOptions.java +++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java @@ -30,6 +30,7 @@ public abstract class EncryptionOptions public String algorithm = "SunX509"; public String store_type = "JKS"; public boolean require_client_auth = false; + public boolean require_endpoint_verification = false; public static class ClientEncryptionOptions extends EncryptionOptions { http://git-wip-us.apache.org/repos/asf/cassandra/blob/c9c9c422/src/java/org/apache/cassandra/security/SSLFactory.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java index bef4a60..2e59b06 100644 --- a/src/java/org/apache/cassandra/security/SSLFactory.java +++ b/src/java/org/apache/cassandra/security/SSLFactory.java @@ -31,6 +31,7 @@ import java.util.List; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; @@ -60,10 +61,9 @@ public final class SSLFactory SSLContext ctx = createSSLContext(options, true); SSLServerSocket serverSocket = (SSLServerSocket)ctx.getServerSocketFactory().createServerSocket(); serverSocket.setReuseAddress(true); - String[] suites = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites); - serverSocket.setEnabledCipherSuites(suites); - serverSocket.setNeedClientAuth(options.require_client_auth); + prepareSocket(serverSocket, options); serverSocket.bind(new InetSocketAddress(address, port), 500); + return serverSocket; } @@ -72,8 +72,7 @@ public final class SSLFactory { SSLContext ctx = createSSLContext(options, true); SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port, localAddress, localPort); - String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites); - socket.setEnabledCipherSuites(suites); + prepareSocket(socket, options); return socket; } @@ -82,8 +81,7 @@ public final class SSLFactory { SSLContext ctx = createSSLContext(options, true); SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(address, port); - String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites); - socket.setEnabledCipherSuites(suites); + prepareSocket(socket, options); return socket; } @@ -92,9 +90,35 @@ public final class SSLFactory { SSLContext ctx = createSSLContext(options, true); SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket(); + prepareSocket(socket, options); + return socket; + } + + /** Sets relevant socket options specified in encryption settings */ + private static void prepareSocket(SSLServerSocket serverSocket, EncryptionOptions options) + { + String[] suites = filterCipherSuites(serverSocket.getSupportedCipherSuites(), options.cipher_suites); + if(options.require_endpoint_verification) + { + SSLParameters sslParameters = serverSocket.getSSLParameters(); + sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); + serverSocket.setSSLParameters(sslParameters); + } + serverSocket.setEnabledCipherSuites(suites); + serverSocket.setNeedClientAuth(options.require_client_auth); + } + + /** Sets relevant socket options specified in encryption settings */ + private static void prepareSocket(SSLSocket socket, EncryptionOptions options) + { String[] suites = filterCipherSuites(socket.getSupportedCipherSuites(), options.cipher_suites); + if(options.require_endpoint_verification) + { + SSLParameters sslParameters = socket.getSSLParameters(); + sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); + socket.setSSLParameters(sslParameters); + } socket.setEnabledCipherSuites(suites); - return socket; } @SuppressWarnings("resource")