[jira] [Commented] (CASSJAVA-80) Support configuration to disable DNS reverse-lookups for SAN validation

Tue, 04 Mar 2025 12:52:48 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSJAVA-80?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17932437#comment-17932437
 ] 

Bret McGuire commented on CASSJAVA-80:
--------------------------------------

To follow up: in testing use of this feature does _not_ actually break Astra 
connectivity.  I believe this is due to changes in how we use SNI within Astra 
but I haven't been able to confirm that with any certainty.

 

There's no real reason why an Astra user would need to leverage this feature, 
and until we can explain this with certainty the defaults should absolutely 
remain what they are now (i.e. the feature should continue to be disabled by 
default).  I add the note regarding my testing against Astra merely for 
completeness (as it was mentioned above).

> Support configuration to disable DNS reverse-lookups for SAN validation
> -----------------------------------------------------------------------
>
>                 Key: CASSJAVA-80
>                 URL: https://issues.apache.org/jira/browse/CASSJAVA-80
>             Project: Apache Cassandra Java driver
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Abe Ratnofsky
>            Assignee: Abe Ratnofsky
>            Priority: Normal
>             Fix For: 4.19.1
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> Currently, apache/cassandra-java-driver uses InetSocketAddress.getHostName to 
> configure the SSLEngine for server certificate verification:
> [https://github.com/apache/cassandra-java-driver/blob/90612f6758eb0f0ba964daf054f397a47a90a736/core/src/main/java/com/datastax/oss/driver/internal/core/ssl/DefaultSslEngineFactory.java#L100]
>  
> InetSocketAddress.getHostName does a DNS reverse-lookup when given a literal 
> IP. This can cause issues in very specific environments where the client's 
> environment DNS returns an IP address for a reverse-lookup that's not 
> mentioned in the server certificates Subject Alternative Names field.
>  
> Most environments should include SANs that match user-specified server 
> addresses, so we shouldn't require a DNS reverse-lookup to find an address 
> with a matching SAN, so this configuration should typically be false, but 
> since we currently do a reverse-lookup and don't want to break any existing 
> users, we'll default it to true.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to