Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-15132

warning should not be logged when client auth is disabled for client encryption

Agile BoardAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsAdd voteVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Awaiting Feedback
    • Normal
    • Resolution: Unresolved
    • None
    • Feature/Encryption
    • None
    • All
    • None

    Description

      CASSANDRA-14652 caused a regression for client/native transport encryption. It broken one-way TLS authentication where only the client authenticates the coordinator node's certificate chain. This would be configured in cassandra.yaml as such:

      client_encryption_options:
        enabled: true
        keystore: /path/to/keystore
        keystore_password: my_keystore_password
        optional: false
        require_client_auth: false
      

      With the changes in CASSANDRA-14652, ServerConnection.java always assumes that there will always be a client certificate chain, which will not be the case with the above configuration.

      Here is the error that shows up in the logs:

      ERROR [Native-Transport-Requests-1] 2019-05-17 18:20:20,016 ServerConnection.java:147 - Failed to get peer certificates for peer /127.0.0.1:50736
      javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
              at sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:501) ~[na:1.8.0_202]
              at org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:143) [main/:na]
              at org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:127) [main/:na]
              at org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:75) [main/:na]
              at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:566) [main/:na]
              at org.apache.cassandra.transport.Message$Dispatcher.channelRead0(Message.java:410) [main/:na]
              at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-all-4.0.44.Final.jar:4.0.44.Final]
              at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.0.44.Final.jar:4.0.44.Final]
              at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:35) [netty-all-4.0.44.Final.jar:4.0.44.Final]
              at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:348) [netty-all-4.0.44.Final.jar:4.0.44.Final]
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_202]
              at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:162) [main/:na]
      

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned Assign to me
            jsanda John Sanda

            Dates

              Created:
              Updated:

              Slack

                Issue deployment