Details
-
Improvement
-
Status: Open
-
Normal
-
Resolution: Unresolved
-
None
-
Operability
-
Normal
-
All
-
None
Description
With cassandra-9220, it's possible to configure endpoint/hostname verification when enabling internode encryption. However, you don't have any control over what endpoint is used for the endpoint verification; instead, cassandra will automatically try to use node IP (not node hostname) for endpoint verification, so if your node certificates don't include the IP in the ssl certificate's SAN list, then you'll get an error like:
ERROR [MessagingService-Outgoing-/10.10.88.194-Gossip] 2018-11-13 10:20:26,903 OutboundTcpConnection.java:606 - SSL handshake error for outbound connection to 50cc97c1[SSL_NULL_WITH_NULL_NULL: Socket[addr=/<NODE_IP_ADDRESS>,port=7001,localport=47684]]
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address <NODE_IP_ADDRESS> found
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
From what I've seen, most orgs will not have node IPs in their certs.
So, it will be best if cassandra would provide another configuration option such as endpoint_verification_method which you could set to "ip" or "fqdn" or something else (eg "hostname_alias" if for whatever reason the org doesn't want to use fqdn for endpoint verification).