Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-15132

warning should not be logged when client auth is disabled for client encryption

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Awaiting Feedback
    • Normal
    • Resolution: Unresolved
    • None
    • Feature/Encryption
    • None
    • All
    • None

    Description

      CASSANDRA-14652 caused a regression for client/native transport encryption. It broken one-way TLS authentication where only the client authenticates the coordinator node's certificate chain. This would be configured in cassandra.yaml as such:

      client_encryption_options:
  enabled: true
  keystore: /path/to/keystore
  keystore_password: my_keystore_password
  optional: false
  require_client_auth: false

      With the changes in CASSANDRA-14652, ServerConnection.java always assumes that there will always be a client certificate chain, which will not be the case with the above configuration.

      Here is the error that shows up in the logs:

      ERROR [Native-Transport-Requests-1] 2019-05-17 18:20:20,016 ServerConnection.java:147 - Failed to get peer certificates for peer /127.0.0.1:50736
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:501) ~[na:1.8.0_202]
        at org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:143) [main/:na]
        at org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:127) [main/:na]
        at org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:75) [main/:na]
        at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:566) [main/:na]
        at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na]
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.0.44.Final.jar:4.0.44.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.0.44.Final.jar:4.0.44.Final]
        at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:35) [netty-all-4.0.44.Final.jar:4.0.44.Final]
        at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:348) [netty-all-4.0.44.Final.jar:4.0.44.Final]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_202]
        at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na]

      Attachments

        Activity

          People

            Unassigned Unassigned
            jsanda John Sanda
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: