Hi Luke, I believe this is not the case. The Java riak-client (version 2.0.6) that I used does validate the server's cert but not checking on server's CN. If I replaced getACert CA in the trustor with another unknown CA then SSL will fail with "unable to find valid certification path to requested target". I don't even see an option to ignore server cert validation on the client side. I am wondering if you can help provide some details related to SSL certification validation configuration.
My riak node builder code: RiakNode.Builder builder = new RiakNode.Builder().withRemoteAddress("127.0.0.1").withRemotePort(8087); builder.withAuth(username, password, trustStore, keyStore, keyPasswd); Thanks -Kyle- -----Original Message----- From: Luke Bakken [mailto:lbak...@basho.com] Sent: Tuesday, August 30, 2016 7:14 AM To: Nguyen, Kyle Cc: Riak Users Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client Kyle - The CN should be either the DNS-resolvable host name of the Riak node, or its IP address (without "riak@"). Then, the Java client should be configured to use that to connect to the node (either DNS or IP). Without doing that, I really don't have any idea how the Java client is validating the server certificate during TLS handshake. Did you configure the client to *not* validate the server cert? -- Luke Bakken Engineer lbak...@basho.com On Mon, Aug 29, 2016 at 3:18 PM, Nguyen, Kyle <kyle.ngu...@philips.com> wrote: > Hi Luke, > > The CN for client's certificate is "kyle" and the CN for riak cert > (ssl.certfile) is "riak@127.0.0.1" which matches the nodename in the > riak.conf. Riak ssl.cacertfile.pem contains the same CA (getACert) which I > used to sign both client and riak public keys. It appears that riak also > validated the client certificate following this SSL debug info. I do see *** > CertificateVerify (toward the end) after the client certificate is requested > by Riak. Please let me know if it looks right to you. ________________________________ The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. _______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com