[ https://issues.apache.org/jira/browse/CASSANDRA-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Sanda updated CASSANDRA-15132: ----------------------------------- Summary: warning should not be logged when client auth is disabled for client encryption (was: one-way TLS authentication for client encryption is broken) > warning should not be logged when client auth is disabled for client > encryption > ------------------------------------------------------------------------------- > > Key: CASSANDRA-15132 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15132 > Project: Cassandra > Issue Type: Bug > Components: Feature/Encryption > Reporter: John Sanda > Priority: Normal > > CASSANDRA-14652 caused a regression for client/native transport encryption. > It broken one-way TLS authentication where only the client authenticates the > coordinator node's certificate chain. This would be configured in > cassandra.yaml as such: > {noformat} > client_encryption_options: > enabled: true > keystore: /path/to/keystore > keystore_password: my_keystore_password > optional: false > require_client_auth: false > {noformat} > With the changes in CASSANDRA-14652, ServerConnection.java always assumes > that there will always be a client certificate chain, which will not be the > case with the above configuration. > Here is the error that shows up in the logs: > {noformat} > ERROR [Native-Transport-Requests-1] 2019-05-17 18:20:20,016 > ServerConnection.java:147 - Failed to get peer certificates for peer > /127.0.0.1:50736 > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > at > sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:501) > ~[na:1.8.0_202] > at > org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:143) > [main/:na] > at > org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:127) > [main/:na] > at > org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:75) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:566) > [main/:na] > at > org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) > [main/:na] > at > io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) > [netty-all-4.0.44.Final.jar:4.0.44.Final] > at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) > [netty-all-4.0.44.Final.jar:4.0.44.Final] > at > io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:35) > [netty-all-4.0.44.Final.jar:4.0.44.Final] > at > io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:348) > [netty-all-4.0.44.Final.jar:4.0.44.Final] > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > [na:1.8.0_202] > at > org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) > [main/:na] > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org