[ https://issues.apache.org/jira/browse/CASSANDRA-7528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14057007#comment-14057007 ]
Michael Shuler commented on CASSANDRA-7528: ------------------------------------------- Do you think it is reasonable for the database to cease to communicate, and as a result, cease to function properly, due to an ssl cert expiration? Should this just be a logged warning? In practice, the encryption is still just as valid on an expired certificate as a non-expired cert. I'm not sure it should be up to the database software to enforce ssl cert expiry, so a logged warning is probably sufficient, and hopefully the sysadmin that let the cert expire will also read the logs :) > certificate not validated for internode SSL encryption. > ------------------------------------------------------- > > Key: CASSANDRA-7528 > URL: https://issues.apache.org/jira/browse/CASSANDRA-7528 > Project: Cassandra > Issue Type: Improvement > Components: Core > Environment: Amazon Linux on various AWS EC2 instance types. > Reporter: Joseph Clark > > An expired certificate may be used to encrypt internode communication. > To reproduce, set the server_encryption_options to enable internode > encryption. Add the private key to the specified .keystore, and an expired > certificate generated using the private key to the specified truststore. The > same keys are used far all cassandra nodes in the cluster. > When cassandra is started, it is able to communicate with other cassandra > nodes even though the certificate is expired. -- This message was sent by Atlassian JIRA (v6.2#6252)