Hi Luke,
I believe this is not the case. The Java riak-client (version 2.0.6) that I
used does validate the server's cert but not checking on server's CN. If I
replaced getACert CA in the trustor with another unknown CA then SSL will fail
with "unable to find valid certification path to requested target". I don't
even see an option to ignore server cert validation on the client side. I am
wondering if you can help provide some details related to SSL certification
validation configuration.
My riak node builder code:
RiakNode.Builder builder = new
RiakNode.Builder().withRemoteAddress("127.0.0.1").withRemotePort(8087);
builder.withAuth(username, password, trustStore, keyStore,
keyPasswd);
Thanks
-Kyle-
-----Original Message-----
From: Luke Bakken [mailto:lbak...@basho.com]
Sent: Tuesday, August 30, 2016 7:14 AM
To: Nguyen, Kyle
Cc: Riak Users
Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication
using Java client
Kyle -
The CN should be either the DNS-resolvable host name of the Riak node, or its
IP address (without "riak@"). Then, the Java client should be configured to use
that to connect to the node (either DNS or IP).
Without doing that, I really don't have any idea how the Java client is
validating the server certificate during TLS handshake. Did you configure the
client to *not* validate the server cert?
--
Luke Bakken
Engineer
lbak...@basho.com
On Mon, Aug 29, 2016 at 3:18 PM, Nguyen, Kyle <kyle.ngu...@philips.com> wrote:
> Hi Luke,
>
> The CN for client's certificate is "kyle" and the CN for riak cert
> (ssl.certfile) is "riak@127.0.0.1" which matches the nodename in the
> riak.conf. Riak ssl.cacertfile.pem contains the same CA (getACert) which I
> used to sign both client and riak public keys. It appears that riak also
> validated the client certificate following this SSL debug info. I do see ***
> CertificateVerify (toward the end) after the client certificate is requested
> by Riak. Please let me know if it looks right to you.
________________________________
The information contained in this message may be confidential and legally
protected under applicable law. The message is intended solely for the
addressee(s). If you are not the intended recipient, you are hereby notified
that any use, forwarding, dissemination, or reproduction of this message is
strictly prohibited and may be unlawful. If you are not the intended recipient,
please contact the sender by return e-mail and destroy all copies of the
original message.
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
