[
https://issues.apache.org/jira/browse/CASSANDRA-6847?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13932911#comment-13932911
]
Jason Brown commented on CASSANDRA-6847:
----------------------------------------
Beyond the discussion in the original ticket, I have no recollection of why we
bailed on the trust store for the native protocol. We quite clearly do it in
thrift: CustomTThreadPoolServer.Factory.buildTServer() passes true as the
second arg to SSLFactory.createSSLContext(), so I'm not sure why we left it out
of the native protocol.
Barring any further insight from [~slebresne], I think we should go ahead and
change this to respect require_client_auth.
> The binary transport doesn't load truststore file
> -------------------------------------------------
>
> Key: CASSANDRA-6847
> URL: https://issues.apache.org/jira/browse/CASSANDRA-6847
> Project: Cassandra
> Issue Type: Bug
> Reporter: Mikhail Stepura
> Priority: Minor
> Labels: ssl
>
> {code:title=org.apache.cassandra.transport.Server.SecurePipelineFactory}
> this.sslContext = SSLFactory.createSSLContext(encryptionOptions, false);
> {code}
> {{false}} there means that {{truststore}} file won't be loaded in any case.
> And that means that the file will not be used to validate clients when
> {{require_client_auth==true}}, making
> http://www.datastax.com/documentation/cassandra/2.0/cassandra/security/secureNewTrustedUsers_t.html
> meaningless.
> The only way to workaround that currently is to start C* with
> {{-Djavax.net.ssl.trustStore=conf/.truststore}}
> I believe we should load {{truststore}} when {{require_client_auth==true}},
--
This message was sent by Atlassian JIRA
(v6.2#6252)
