[jira] [Comment Edited] (CASSANDRA-5120) Add support for SSL sockets to use client certificate authentication.
[ https://issues.apache.org/jira/browse/CASSANDRA-5120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13546064#comment-13546064 ] Aleksey Yeschenko edited comment on CASSANDRA-5120 at 1/7/13 5:31 PM: -- Not all Thrift ssl socket implementations support this. Python's TSSLSocket doesn't, for example. was (Author: iamaleksey): Not all thfit ssl socket implementations support this. Python's TSSLSocket, for example. > Add support for SSL sockets to use client certificate authentication. > - > > Key: CASSANDRA-5120 > URL: https://issues.apache.org/jira/browse/CASSANDRA-5120 > Project: Cassandra > Issue Type: Improvement > Components: Core >Affects Versions: 1.2.0 >Reporter: Steven Franklin >Priority: Minor > Fix For: 1.2.0 > > Attachments: trunk-5120.txt > > > Add an option to EncryptionOptions to require client certication > authentication. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CASSANDRA-5120) Add support for SSL sockets to use client certificate authentication.
[
https://issues.apache.org/jira/browse/CASSANDRA-5120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13586207#comment-13586207
]
Vijay edited comment on CASSANDRA-5120 at 2/25/13 7:49 PM:
---
{quote}
All that requireClientAuth(true) does is that it requires clients to use their
certs when connecting.
{quote}
Not sure if i understand what you are trying to say... but the
requireClientAuth still needs a valid cert but wont require auth, am i making
sense? http://pastebin.com/sue1dvCA (look for "Failed to create a client SSL
connection.")
was (Author: vijay2...@yahoo.com):
{quote}
All that requireClientAuth(true) does is that it requires clients to use their
certs when connecting.
{quote}
Not sure if i understand what you are trying to say... but the
requireClientAuth still needs a valid cert but wont require auth, am i making
sense? http://pastebin.com/sue1dvCA
> Add support for SSL sockets to use client certificate authentication.
> -
>
> Key: CASSANDRA-5120
> URL: https://issues.apache.org/jira/browse/CASSANDRA-5120
> Project: Cassandra
> Issue Type: Improvement
> Components: Core
>Affects Versions: 1.2.0
>Reporter: Steven Franklin
>Assignee: Steven Franklin
>Priority: Minor
> Fix For: 1.2.1
>
> Attachments: trunk-5120.txt
>
>
> Add an option to EncryptionOptions to require client certication
> authentication.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CASSANDRA-5120) Add support for SSL sockets to use client certificate authentication.
[
https://issues.apache.org/jira/browse/CASSANDRA-5120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13588564#comment-13588564
]
Ryan McGuire edited comment on CASSANDRA-5120 at 2/27/13 6:02 PM:
--
I have verified that Cassandra always rejects a client certificate when
*require_client_auth = true*. It cannot verify a key that it does not know
about. If there is currently a way of installing my client certificate on the
server, I am not aware of it.
To verify this behaviour, I created my own example SSL server using stunnel so
that I could see how this would work with a server that does accept client
certificates. stunnel has the option to verify client certificates with it's
verify=3 option:
{code}
cert = server.pem
setuid = ryan
pid = /tmp/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CAfile = certs/myca.crt
CApath = /home/ryan/stunnel_keys/acceptable
foreground = yes
debug = 7
[ryan]
accept =
connect = 127.0.0.1:9998
{code}
I can connect to this example server using OpenSSL's client:
{code}
openssl s_client -connect 127.0.0.1: -cert client.pem
{code}
With the certificate it connects, without it it doesn't.
The same command on port 9160 can be used to connect to Cassandra over SSL with
client certificate. With *require_client_auth=false*, the connection is always
allowed whether I use a client certificate or not. With
*require_client_auth=true* the connection is always terminated, regardless if I
specify a client certificate because the server does not know about my
certificate.
If Cassandra were to know about my certificate, I suspect this would work.
was (Author: enigmacurry):
I have verified that Cassandra always reject a client certificate when
*require_client_auth = true*. It cannot verify a key that it does not know
about. If there is currently a way of installing my client certificate on the
server, I am not aware of it.
To verify this behaviour, I created my own example SSL server using stunnel so
that I could see how this would work with a server that does accept client
certificates. stunnel has the option to verify client certificates with it's
verify=3 option:
{code}
cert = server.pem
setuid = ryan
pid = /tmp/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CAfile = certs/myca.crt
CApath = /home/ryan/stunnel_keys/acceptable
foreground = yes
debug = 7
[ryan]
accept =
connect = 127.0.0.1:9998
{code}
I can connect to this example server using OpenSSL's client:
{code}
openssl s_client -connect 127.0.0.1: -cert client.pem
{code}
With the certificate it connects, without it it doesn't.
The same command on port 9160 can be used to connect to Cassandra over SSL with
client certificate. With *require_client_auth=false*, the connection is always
allowed whether I use a client certificate or not. With
*require_client_auth=true* the connection is always terminated, regardless if I
specify a client certificate because the server does not know about my
certificate.
If Cassandra were to know about my certificate, I suspect this would work.
> Add support for SSL sockets to use client certificate authentication.
> -
>
> Key: CASSANDRA-5120
> URL: https://issues.apache.org/jira/browse/CASSANDRA-5120
> Project: Cassandra
> Issue Type: Improvement
> Components: Core
>Affects Versions: 1.2.0
>Reporter: Steven Franklin
>Assignee: Steven Franklin
>Priority: Minor
> Fix For: 1.2.1
>
> Attachments: trunk-5120.txt
>
>
> Add an option to EncryptionOptions to require client certication
> authentication.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CASSANDRA-5120) Add support for SSL sockets to use client certificate authentication.
[
https://issues.apache.org/jira/browse/CASSANDRA-5120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13588564#comment-13588564
]
Ryan McGuire edited comment on CASSANDRA-5120 at 2/27/13 6:06 PM:
--
I have verified that Cassandra always rejects a client connection when
*require_client_auth = true*. It cannot verify a key that it does not know
about. If there is currently a way of installing my client certificate on the
server, I am not aware of it.
To verify this behaviour, I created my own example SSL server using stunnel so
that I could see how this would work with a server that does accept client
certificates. stunnel has the option to verify client certificates with it's
verify=3 option:
{code}
cert = server.pem
setuid = ryan
pid = /tmp/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CAfile = certs/myca.crt
CApath = /home/ryan/stunnel_keys/acceptable
foreground = yes
debug = 7
[ryan]
accept =
connect = 127.0.0.1:9998
{code}
I can connect to this example server using OpenSSL's client:
{code}
openssl s_client -connect 127.0.0.1: -cert client.pem
{code}
With the certificate it connects, without it it doesn't.
The same command on port 9160 can be used to connect to Cassandra over SSL with
client certificate. With *require_client_auth=false*, the connection is always
allowed whether I use a client certificate or not. With
*require_client_auth=true* the connection is always terminated, regardless if I
specify a client certificate because the server does not know about my
certificate.
If Cassandra were to know about my certificate, I suspect this would work.
was (Author: enigmacurry):
I have verified that Cassandra always rejects a client certificate when
*require_client_auth = true*. It cannot verify a key that it does not know
about. If there is currently a way of installing my client certificate on the
server, I am not aware of it.
To verify this behaviour, I created my own example SSL server using stunnel so
that I could see how this would work with a server that does accept client
certificates. stunnel has the option to verify client certificates with it's
verify=3 option:
{code}
cert = server.pem
setuid = ryan
pid = /tmp/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CAfile = certs/myca.crt
CApath = /home/ryan/stunnel_keys/acceptable
foreground = yes
debug = 7
[ryan]
accept =
connect = 127.0.0.1:9998
{code}
I can connect to this example server using OpenSSL's client:
{code}
openssl s_client -connect 127.0.0.1: -cert client.pem
{code}
With the certificate it connects, without it it doesn't.
The same command on port 9160 can be used to connect to Cassandra over SSL with
client certificate. With *require_client_auth=false*, the connection is always
allowed whether I use a client certificate or not. With
*require_client_auth=true* the connection is always terminated, regardless if I
specify a client certificate because the server does not know about my
certificate.
If Cassandra were to know about my certificate, I suspect this would work.
> Add support for SSL sockets to use client certificate authentication.
> -
>
> Key: CASSANDRA-5120
> URL: https://issues.apache.org/jira/browse/CASSANDRA-5120
> Project: Cassandra
> Issue Type: Improvement
> Components: Core
>Affects Versions: 1.2.0
>Reporter: Steven Franklin
>Assignee: Steven Franklin
>Priority: Minor
> Fix For: 1.2.1
>
> Attachments: trunk-5120.txt
>
>
> Add an option to EncryptionOptions to require client certication
> authentication.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CASSANDRA-5120) Add support for SSL sockets to use client certificate authentication.
[ https://issues.apache.org/jira/browse/CASSANDRA-5120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13588784#comment-13588784 ] Ryan McGuire edited comment on CASSANDRA-5120 at 2/27/13 9:27 PM: -- Yes it works! I took the same key I used prior and imported it into a new trustsstore file, configured the *truststore* and *truststore_password* options in the yaml and was able to make a connection. I tested with another key that I did not import and the connections was terminated. I tried connecting without any key and the connection was terminated. was (Author: enigmacurry): Yes it does! I took the same key I used prior and imported it into a new trustsstore file, configured the *truststore* and *truststore_password* options in the yaml and was able to make a connection. I tested with another key that I did not import and the connections was terminated. I tried connecting without any key and the connection was terminated. > Add support for SSL sockets to use client certificate authentication. > - > > Key: CASSANDRA-5120 > URL: https://issues.apache.org/jira/browse/CASSANDRA-5120 > Project: Cassandra > Issue Type: Improvement > Components: Core >Affects Versions: 1.2.0 >Reporter: Steven Franklin >Assignee: Aleksey Yeschenko >Priority: Minor > Fix For: 1.2.1 > > Attachments: trunk-5120.txt > > > Add an option to EncryptionOptions to require client certication > authentication. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
