Thanh created CASSANDRA-15891:
---------------------------------
Summary: allow cassandra admin to decide what endpoint to use for
endpoint verification
Key: CASSANDRA-15891
URL: https://issues.apache.org/jira/browse/CASSANDRA-15891
Project: Cassandra
Issue Type: Improvement
Reporter: Thanh
With cassandra-9220, it's possible to configure endpoint/hostname verification
when enabling internode encryption. However, you don't have any control over
what endpoint is used for the endpoint verification; instead, cassandra will
automatically try to use node IP (not node hostname) for endpoint verification,
so if your node certificates don't include the IP in the ssl certificate's SAN
list, then you'll get an error like:
{code:java}
ERROR [MessagingService-Outgoing-/10.10.88.194-Gossip] 2018-11-13 10:20:26,903
OutboundTcpConnection.java:606 - SSL handshake error for outbound connection to
50cc97c1[SSL_NULL_WITH_NULL_NULL:
Socket[addr=/<NODE_IP_ADDRESS>,port=7001,localport=47684]]
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative names matching IP address <NODE_IP_ADDRESS> found
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) {code}
>From what I've seen, most orgs will not have node IPs in their certs.
So, it will be best if cassandra would provide another configuration option
such as *{{endpoint_verification_method}}* which you could set to "ip" or
"fqdn" or something else (eg "hostname_alias" if for whatever reason the org
doesn't want to use fqdn for endpoint verification).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
