[jira] [Updated] (CASSANDRA-15891) provide a configuration option such as endpoint_verification_method

Mon, 22 Jun 2020 11:59:24 -0700 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-15891?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thanh updated CASSANDRA-15891:
------------------------------
    Summary: provide a configuration option such as 
endpoint_verification_method  (was: allow cassandra admin to decide what 
endpoint to use for endpoint verification)

> provide a configuration option such as endpoint_verification_method
> -------------------------------------------------------------------
>
>                 Key: CASSANDRA-15891
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15891
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Thanh
>            Priority: Normal
>
> With cassandra-9220, it's possible to configure endpoint/hostname 
> verification when enabling internode encryption.  However, you don't have any 
> control over what endpoint is used for the endpoint verification; instead, 
> cassandra will automatically try to use node IP (not node hostname) for 
> endpoint verification, so if your node certificates don't include the IP in 
> the ssl certificate's SAN list, then you'll get an error like:
> {code:java}
> ERROR [MessagingService-Outgoing-/10.10.88.194-Gossip] 2018-11-13 
> 10:20:26,903 OutboundTcpConnection.java:606 - SSL handshake error for 
> outbound connection to 50cc97c1[SSL_NULL_WITH_NULL_NULL: 
> Socket[addr=/<NODE_IP_ADDRESS>,port=7001,localport=47684]] 
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 
> No subject alternative names matching IP address <NODE_IP_ADDRESS> found 
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) {code}
> From what I've seen, most orgs will not have node IPs in their certs.
> So, it will be best if cassandra would provide another configuration option 
> such as *{{endpoint_verification_method}}* which you could set to "ip" or 
> "fqdn" or something else (eg "hostname_alias" if for whatever reason the org 
> doesn't want to use fqdn for endpoint verification).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to