Warn when SSL certs have expired. Patch by brandonwilliams, reviewed by jasobrown for CASSANDRA-7528
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/11351e3c Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/11351e3c Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/11351e3c Branch: refs/heads/cassandra-2.1.0 Commit: 11351e3c0dd20e60e1f21be6cfa966377a999f83 Parents: 6893130 Author: Brandon Williams <brandonwilli...@apache.org> Authored: Thu Jul 10 12:08:58 2014 -0500 Committer: Brandon Williams <brandonwilli...@apache.org> Committed: Thu Jul 10 12:08:58 2014 -0500 ---------------------------------------------------------------------- CHANGES.txt | 1 + .../apache/cassandra/security/SSLFactory.java | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/11351e3c/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 3553e4a..6b4e44b 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 2.0.10 + * Warn when SSL certificates have expired (CASSANDRA-7528) * Workaround JVM NPE on JMX bind failure (CASSANDRA-7254) * Fix race in FileCacheService RemovalListener (CASSANDRA-7278) * Fix inconsistent use of consistencyForCommit that allowed LOCAL_QUORUM http://git-wip-us.apache.org/repos/asf/cassandra/blob/11351e3c/src/java/org/apache/cassandra/security/SSLFactory.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/security/SSLFactory.java b/src/java/org/apache/cassandra/security/SSLFactory.java index 73edc05..3cb0670 100644 --- a/src/java/org/apache/cassandra/security/SSLFactory.java +++ b/src/java/org/apache/cassandra/security/SSLFactory.java @@ -23,6 +23,9 @@ import java.io.IOException; import java.net.InetAddress; import java.net.InetSocketAddress; import java.security.KeyStore; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.Enumeration; import java.util.Set; import javax.net.ssl.KeyManagerFactory; @@ -48,6 +51,8 @@ public final class SSLFactory { private static final Logger logger = LoggerFactory.getLogger(SSLFactory.class); + private static boolean checkedExpiry = false; + public static SSLServerSocket getServerSocket(EncryptionOptions options, InetAddress address, int port) throws IOException { SSLContext ctx = createSSLContext(options, true); @@ -114,6 +119,20 @@ public final class SSLFactory KeyManagerFactory kmf = KeyManagerFactory.getInstance(options.algorithm); KeyStore ks = KeyStore.getInstance(options.store_type); ks.load(ksf, options.keystore_password.toCharArray()); + if (!checkedExpiry) + { + for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements(); ) + { + String alias = aliases.nextElement(); + if (ks.getCertificate(alias).getType().equals("X.509")) + { + Date expires = ((X509Certificate) ks.getCertificate(alias)).getNotAfter(); + if (expires.before(new Date())) + logger.warn("Certificate for {} expired on {}", alias, expires); + } + } + checkedExpiry = true; + } kmf.init(ks, options.keystore_password.toCharArray()); ctx.init(kmf.getKeyManagers(), trustManagers, null);