Re: Cassandra 2FA

2018-07-10 Thread Vitali Dyachuk
Thanks, checked the ticket which is about a client hostname verification,
but this is not an optimal solution for us; maintaining the allowed hosts
list is not convenient way, once new hosts added you have reissue a new
cert.and deploy it. What we are looking for is for example certificate
validation based on CN, which adds additional small level of security.
I'm also thinking to try OID "challengePassword" as a pre-shared key, but
thats not related to C*.


On Tue, Jul 10, 2018 at 10:43 AM Stefan Podkowinski  wrote:

> You may want to keep an eye on the following ticket:
> https://issues.apache.org/jira/browse/CASSANDRA-13404
>
>
> On 09.07.2018 17:12, Vitali Dyachuk wrote:
> > Hi,
> > There is a certificate validation based on the mutual CA this is a 1st
> > factor, the 2nd factor could be checking the common name of the client
> > certificate, probably this requires writing a patch, but probably some
> > has already done that ?
> >
> > Vitali Djatsuk.
>
> -
> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org
> For additional commands, e-mail: user-h...@cassandra.apache.org
>
>


Re: Cassandra 2FA

2018-07-10 Thread Stefan Podkowinski
You may want to keep an eye on the following ticket:
https://issues.apache.org/jira/browse/CASSANDRA-13404


On 09.07.2018 17:12, Vitali Dyachuk wrote:
> Hi,
> There is a certificate validation based on the mutual CA this is a 1st
> factor, the 2nd factor could be checking the common name of the client
> certificate, probably this requires writing a patch, but probably some
> has already done that ?
> 
> Vitali Djatsuk.

-
To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org
For additional commands, e-mail: user-h...@cassandra.apache.org