[
https://issues.apache.org/jira/browse/CASSANALYTICS-139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18069690#comment-18069690
]
Jeremiah Jordan commented on CASSANALYTICS-139:
-----------------------------------------------
While I agree turning off security features is not a good idea, as far as I
know all existing C* drivers and the server itself all allow disabling the
hostname verification. So allowing this in Cassandra Analytics seems
reasonable? Have it default to being enabled and allow disabling it. You could
even output a WARN if it is disabled?
> Allow disabling SAN verification
> --------------------------------
>
> Key: CASSANALYTICS-139
> URL: https://issues.apache.org/jira/browse/CASSANALYTICS-139
> Project: Apache Cassandra Analytics
> Issue Type: Improvement
> Reporter: Lukasz Antoniak
> Assignee: Lukasz Antoniak
> Priority: Normal
>
> When generic mTLS certificate is issued for Sidecar nodes in a cluster, SSL
> connection cannot be established due to hostname verification failure. Allow
> to disable hostname verification.
> {code:java}
> Caused by: java.security.cert.CertificateException: No name matching
> sidecar-dc1-service found
> at
> java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:234)
> at
> java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:461)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:421)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkServerTrusted(EnhancingX509ExtendedTrustManager.java:69)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:235)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:790)
> at
> o.a.c.sidecar.client.shaded.io.netty.internal.tcnative.CertificateVerifierTask.runTask(CertificateVerifierTask.java:36)
> at
> o.a.c.sidecar.client.shaded.io.netty.internal.tcnative.SSLTask.run(SSLTask.java:48)
> at
> o.a.c.sidecar.client.shaded.io.netty.internal.tcnative.SSLTask.run(SSLTask.java:42)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.runAndResetNeedTask(ReferenceCountedOpenSslEngine.java:1534)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.access$700(ReferenceCountedOpenSslEngine.java:96)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine$TaskDecorator.run(ReferenceCountedOpenSslEngine.java:1509)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651)
> at
> o.a.c.sidecar.client.shaded.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497)
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
