[
https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17522461#comment-17522461
]
Maulin Vasavada edited comment on CASSANDRA-17513 at 4/15/22 3:04 AM:
----------------------------------------------------------------------
Hi [~Jyothsnakonisa] Based on what you are saying, you seem to clearly
understand client/server encryption options. However I fail to understand your
challenge. Do you want to be able to configure different keystores for each
server node?
If you are thinking that you want two different keystores for each server node
- 1) for sending a server cert and 2) for sending the client cert, I would +1
Brandon's question - What would be your motivation to do that? In my experience
I've not seen such a setup. It makes total sense to me to say - Hey my server
node has Identity-A and that is what I use to send to my client to trust me as
well as when I am the client, I would use that to-be trusted by the receiver.
However it sounds odd to say I want to use Identity-A when I am acting as a
server to a given peer and use Identity-B when I am acting as a client to the
same peer. The way I think is - A node has an identity that it uses to-be
trusted- be it a client or server mode with the same peer.
We also have to be cognizant of an operational overhead managing so many
keypairs.
was (Author: maulin.vasavada):
Hi [~Jyothsnakonisa] Based on what you are saying, you seem to clearly
understand client/server encryption options. However I fail to understand your
challenge. Do you want to be able to configure different keystores for each
server node?
If you are thinking that you want two different keystores for each server node
- 1) for sending a server cert and 2) for sending the client cert, I would +1
Brandon's question - What would be your motivation to do that? In my experience
I've not seen such a setup. It makes total sense to me to say - Hey my server
node has Identity-A and that is what I use to send to my client to trust me as
well as when I am the client, I would use that to-be trusted by the receiver.
However it sounds odd to say I want to use Identity-A when I am acting as a
server to a given peer and use Identity-B when I am acting as a client to the
same peer. The way I think is - A node has an identity that it uses to-be
trusted- be it a client or server mode with the same peer.
> Add new property to pass keystore for outbound connections
> ----------------------------------------------------------
>
> Key: CASSANDRA-17513
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17513
> Project: Cassandra
> Issue Type: Bug
> Reporter: Jyothsna Konisa
> Assignee: Jyothsna Konisa
> Priority: Normal
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Same keystore is being set for both Inbound and outbound connections but we
> should use a keystore with server certificate for Inbound connections and a
> keystore with client certificates for outbound connections. So we should add
> a new property in Cassandra.yaml to pass outbound keystore and use it in
> SSLContextFactory for creating outbound SSL context.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
