Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-15891

provide a configuration option such as endpoint_verification_method

Agile BoardAttach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments


    • Improvement
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • 4.x
    • Messaging/Internode
    • None
    • Operability
    • Normal
    • All
    • None


      With cassandra-9220, it's possible to configure endpoint/hostname verification when enabling internode encryption.  However, you don't have any control over what endpoint is used for the endpoint verification; instead, cassandra will automatically try to use node IP (not node hostname) for endpoint verification, so if your node certificates don't include the IP in the ssl certificate's SAN list, then you'll get an error like:

      ERROR [MessagingService-Outgoing-/] 2018-11-13 10:20:26,903 OutboundTcpConnection.java:606 - SSL handshake error for outbound connection to 50cc97c1[SSL_NULL_WITH_NULL_NULL: Socket[addr=/<NODE_IP_ADDRESS>,port=7001,localport=47684]] 
      javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address <NODE_IP_ADDRESS> found 
      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) 

      From what I've seen, most orgs will not have node IPs in their certs.

      So, it will be best if cassandra would provide another configuration option such as endpoint_verification_method which you could set to "ip" or "fqdn" or something else (eg "hostname_alias" if for whatever reason the org doesn't want to use fqdn for endpoint verification).



          This comment will be Viewable by All Users Viewable by All Users


            Unassigned Unassigned Assign to me
            thatran Thanh



              Issue deployment