[jira] [Commented] (CASSANDRA-17513) Adding support for TLS client authentication for internode communication

Thu, 21 Apr 2022 11:35:05 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17525961#comment-17525961
 ] 

Maulin Vasavada commented on CASSANDRA-17513:
---------------------------------------------

Thank you [~djoshi] for considering the suggestion for the ticket title.

I've thought about it (little experimented also) and talked to some of the more 
security experts and I agree with the approach to have a separate keystore for 
client vs server certs for internode connections in case we need to have client 
auth enabled. While Java keystores provide ability to store multiple keys in 
it, for variety of reasons (some of which you already mentioned in your lastest 
comment) it makes sense to keep client vs server keys separate.

Given that we would need a different keystore for client TLS auth for the 
internode connection, what if somebody wants to use the same certs for client 
as well as server auth? Would they be required to copy it to a separate 
keystore OR the code changes would have a fallback when the 'outbound keystore' 
(how current PR refers to) is not configured?

> Adding support for TLS client authentication for internode communication
> ------------------------------------------------------------------------
>
>                 Key: CASSANDRA-17513
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17513
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Jyothsna Konisa
>            Assignee: Jyothsna Konisa
>            Priority: Normal
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> Same keystore is being set for both Inbound and outbound connections but we 
> should use a keystore with server certificate for Inbound connections and a 
> keystore with client certificates for outbound connections. So we should add 
> a new property in Cassandra.yaml to pass outbound keystore and use it in 
> SSLContextFactory for creating outbound SSL context.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to