[ https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17523805#comment-17523805 ]
Maulin Vasavada edited comment on CASSANDRA-17513 at 4/19/22 12:08 AM: ----------------------------------------------------------------------- [~Jyothsnakonisa] and [~djoshi] - would it be possible to put both private keys - server and client in the same keystore? I've never tried it so not sure but would Java be able to use correct certificate based on whether it requires Server certificate or a Client certificate? I think writing up [a sample https server/client|https://bugs.openjdk.java.net/browse/JDK-8262186] locally could help test/verify that. -However, so far from Java code standpoint I am not able to locate the place where it checks the OID/extendedKeyUsage field for client/server cert reading from a keystore.- I think I found [the code|https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java#L566] in OpenJDK 8 that checks for the extendedKeyUsage on a certificate while choosing from the keystore. was (Author: maulin.vasavada): [~Jyothsnakonisa] and [~djoshi] - would it be possible to put both private keys - server and client in the same keystore? I've never tried it so not sure but would Java be able to use correct certificate based on whether it requires Server certificate or a Client certificate? I think writing up [a sample https server/client|https://bugs.openjdk.java.net/browse/JDK-8262186] locally could help test/verify that. However, so far from Java code standpoint I am not able to locate the place where it checks the OID/extendedKeyUsage field for client/server cert reading from a keystore. > Add new property to pass keystore for outbound connections > ---------------------------------------------------------- > > Key: CASSANDRA-17513 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17513 > Project: Cassandra > Issue Type: Bug > Reporter: Jyothsna Konisa > Assignee: Jyothsna Konisa > Priority: Normal > Time Spent: 1h 20m > Remaining Estimate: 0h > > Same keystore is being set for both Inbound and outbound connections but we > should use a keystore with server certificate for Inbound connections and a > keystore with client certificates for outbound connections. So we should add > a new property in Cassandra.yaml to pass outbound keystore and use it in > SSLContextFactory for creating outbound SSL context. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org