Details
-
Improvement
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
Operability
-
Normal
-
All
-
Security
-
Description
Currently when using MutualTlsAuthenticator or MutualTlsWithPasswordFallbackAuthenticator a client is prompted with an AUTHENTICATE message to which they must respond with an AUTH_RESPONSE (e.g. a user name and password). This shouldn't be needed as the role can be identified using only the certificate.
To address this, we could add the capability to authenticate early in processing of a STARTUP message if we can determine that both the configured authenticator supports certificate authentication and a client certificate was provided. If the certificate can be authenticated, a READY response is returned, otherwise an ERROR is returned.
This change can be done done in a fully backwards compatible way and requires no protocol or driver changes; I will supply a patch shortly!
Attachments
Attachments
Issue Links
- Dependency
-
CASSANDRA-18811 Set right client auth for creating SSL context in mTLS optional mode
- Resolved
- links to