Details
-
Bug
-
Status: Awaiting Feedback
-
Normal
-
Resolution: Unresolved
-
None
-
None
-
All
-
None
Description
CASSANDRA-14652 caused a regression for client/native transport encryption. It broken one-way TLS authentication where only the client authenticates the coordinator node's certificate chain. This would be configured in cassandra.yaml as such:
client_encryption_options: enabled: true keystore: /path/to/keystore keystore_password: my_keystore_password optional: false require_client_auth: false
With the changes in CASSANDRA-14652, ServerConnection.java always assumes that there will always be a client certificate chain, which will not be the case with the above configuration.
Here is the error that shows up in the logs:
ERROR [Native-Transport-Requests-1] 2019-05-17 18:20:20,016 ServerConnection.java:147 - Failed to get peer certificates for peer /127.0.0.1:50736 javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:501) ~[na:1.8.0_202] at org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:143) [main/:na] at org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:127) [main/:na] at org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:75) [main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:566) [main/:na] at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na] at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.0.44.Final.jar:4.0.44.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.0.44.Final.jar:4.0.44.Final] at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:35) [netty-all-4.0.44.Final.jar:4.0.44.Final] at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:348) [netty-all-4.0.44.Final.jar:4.0.44.Final] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_202] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na]