[jira] [Commented] (CASSANDRA-17513) Add new property to pass keystore for outbound connections

Thu, 14 Apr 2022 20:55:05 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17522642#comment-17522642
 ] 

Dinesh Joshi commented on CASSANDRA-17513:
------------------------------------------

For internode communication, currently it is not possible for the server to 
identify itself using a client certificate. By adding this option we will be 
able to present a client identity to other nodes. The nodes can use this client 
certificate to authenticate the node. This makes it possible to implement 
mutual TLS which is currently not possible.

{quote}The way I think is - A node has an identity that it uses to-be trusted- 
be it a client or server mode with the same peer.
{quote}

You cannot use the same certificate as a client certificate and a server 
certificate. They are distinct. You cannot use a client certificate as a server 
certificate and vice-versa.

As far as operational overhead is concerned, this is not a required 
configuration item. It is optional and won't cause "overhead" unless it is 
actually used by the operator.

> Add new property to pass keystore for outbound connections
> ----------------------------------------------------------
>
>                 Key: CASSANDRA-17513
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17513
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Jyothsna Konisa
>            Assignee: Jyothsna Konisa
>            Priority: Normal
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Same keystore is being set for both Inbound and outbound connections but we 
> should use a keystore with server certificate for Inbound connections and a 
> keystore with client certificates for outbound connections. So we should add 
> a new property in Cassandra.yaml to pass outbound keystore and use it in 
> SSLContextFactory for creating outbound SSL context.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to