[ https://issues.apache.org/jira/browse/CASSANDRA-14223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16479313#comment-16479313 ]
Ron Blechman edited comment on CASSANDRA-14223 at 5/17/18 4:29 PM: ------------------------------------------------------------------- I haven't tried this on the 4.0 trunk. I have been working solely with Cassandra 3.11.2. and have been testing this with CRLs that are pre-fetched - which I believe avoids the concerns you mentioned about blocking. My comments about OCSP are looking more towards the future - as my first priority is to have this work with CRLs. I have tested this with OCSP and dynamically downloaded CRLS, but perhaps not rigorously enough to run into the issues you expressed concern about. +{color:#0066cc}Per Otterström{color}+ - I would need further details for me to answer whether what you and/or [~spo...@gmail.com] are suggesting would work for us or not. Do you know if what you are suggesting work with Bouncy Castle in FIPS mode? was (Author: ronblechman): I haven't tried this on the 4.0 trunk. I have been working solely with Cassandra 3.11.2. and have been testing this with CRLs that are pre-fetched - which I believe avoids the concerns you mentioned about blocking. My comments about OCSP are looking more towards the future - as my first priority is to have this work with CRLs. I have tested this with OCSP and dynamically downloaded CRLS, but perhaps not rigorously enough to run into the issues you expressed concern about. +{color:#0066cc}Per Otterström{color}+ - I would need further details for me to answer whether what you are suggesting would work for us or not. Do you know if what you are suggesting work with Bouncy Castle in FIPS mode? > Provide ability to do custom certificate validations (e.g. hostname > validation, certificate revocation checks) > -------------------------------------------------------------------------------------------------------------- > > Key: CASSANDRA-14223 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14223 > Project: Cassandra > Issue Type: Improvement > Components: Configuration > Reporter: Ron Blechman > Priority: Major > Labels: security > Fix For: 4.x > > > Cassandra server should be to be able do additional certificate validations, > such as hostname validatation and certificate revocation checking against > CRLs and/or using OCSP. > One approach couild be to have SSLFactory use SSLContext.getDefault() instead > of forcing the creation of a new SSLContext using SSLContext.getInstance(). > Using the default SSLContext would allow a user to plug in their own custom > SSLSocketFactory via the java.security properties file. The custom > SSLSocketFactory could create a default SSLContext that was customized to do > any extra validation such as certificate revocation, host name validation, > etc. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org