[
https://issues.apache.org/jira/browse/CASSANALYTICS-139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18068208#comment-18068208
]
Lukasz Antoniak commented on CASSANALYTICS-139:
-----------------------------------------------
While it is still under discussion if relaxing security is a good idea,
implementation has been started
[here|https://github.com/apache/cassandra-analytics/compare/trunk...lukasz-antoniak:cassandra-analytics:CASSANALYTICS-139].
> Allow disabling SAN verification
> --------------------------------
>
> Key: CASSANALYTICS-139
> URL: https://issues.apache.org/jira/browse/CASSANALYTICS-139
> Project: Apache Cassandra Analytics
> Issue Type: Improvement
> Reporter: Lukasz Antoniak
> Assignee: Lukasz Antoniak
> Priority: Normal
>
> When generic mTLS certificate is issued for Sidecar nodes in a cluster, SSL
> connection cannot be established due to hostname verification failure. Allow
> to disable hostname verification.
> {code:java}
> Caused by: java.security.cert.CertificateException: No name matching
> sidecar-dc1-service found
> at
> java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:234)
> at
> java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:461)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:421)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkServerTrusted(EnhancingX509ExtendedTrustManager.java:69)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:235)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:790)
> at
> o.a.c.sidecar.client.shaded.io.netty.internal.tcnative.CertificateVerifierTask.runTask(CertificateVerifierTask.java:36)
> at
> o.a.c.sidecar.client.shaded.io.netty.internal.tcnative.SSLTask.run(SSLTask.java:48)
> at
> o.a.c.sidecar.client.shaded.io.netty.internal.tcnative.SSLTask.run(SSLTask.java:42)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.runAndResetNeedTask(ReferenceCountedOpenSslEngine.java:1534)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.access$700(ReferenceCountedOpenSslEngine.java:96)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine$TaskDecorator.run(ReferenceCountedOpenSslEngine.java:1509)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497)
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
