Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-14295

no ssl hostname validation in cqlsh

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Low
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Legacy/CQL
    • Labels:
    • Severity:
      Low

      Description

      In order to validate certificates properly the python driver requires check_hostname to be set.

      https://github.com/datastax/python-driver/blob/master/cassandra/cluster.py#L558-L562

      However it is not available as a setting in cqlsh:

      https://github.com/apache/cassandra/blob/trunk/pylib/cqlshlib/sslhandling.py#L86-L89

      I noticed this because cqlsh is connecting to 127.0.0.1 per default, but the configured certificate is just containing the hostname and the local ip. The connection was always successful. But when adding check_hostname to cqlshlib/sslhandling.py the validation works as expected:

      current behaviour:

      # cqlsh --ssl
      Connected to ****-cassandra at 127.0.0.1:9042.
      [cqlsh 5.0.1 | Cassandra 3.11.2 | CQL spec 3.4.4 | Native protocol v4]
      Use HELP for help.
      ****@cqlsh>

      expected:

      # cqlsh --ssl
      Connection error: ('Unable to connect to any servers', {'127.0.0.1': CertificateError("hostname '127.0.0.1' doesn't match '****'",)})

       

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              tgbeck Christian Becker
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: