Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Duplicate
-
None
-
None
-
None
-
Normal
Description
I've set up server_encryption_options as well as client_encryption_options. In both settings, I use the same keystore with an wild-card SSL certificate in it. It is signed by our own CA, which root certificate is in the configured truststore:
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/conf/wildcard-cert.keystore
keystore_password: ""
truststore: /etc/cassandra/conf/my-cacerts
truststore_password: changeit
require_client_auth: true
client_encryption_options:
enabled: true
keystore: /etc/cassandra/conf/wildcard-cert.keystore
keystore_password: ""
require_client_auth: false
The certifcate's subject is:
CN=*.my.domain.com,OU=my unit,O=my org
When I deploy this setting on a server which domain is node1.my.other-domain.com a connection via cqlsh wrongly works. Additionally, the inter-node connection between other nodes in this wrong domain also works.
I would expect that the connection would fail with a meaningful error message.
Attachments
Issue Links
- duplicates
-
CASSANDRA-9220 Hostname verification for node-to-node encryption
-
- Resolved
-