Uploaded image for project: 'Apache Cassandra'
  1. Apache Cassandra
  2. CASSANDRA-18951

Add option for MutualTlsAuthenticator to restrict the certificate validity period

    XMLWordPrintableJSON

Details

    Description

      In org.apache.cassandra.auth.MutualTlsAuthenticator, we validate that a certificate is valid by looking at the identities inside the
      certificate and making sure the identity exists in the identity to role table.

      In some situations we may want to restrict the certificates
      we accept by rejecting certificates older than x amount of days. Some certificates can be generated with long expiration dates,
      and this might be undesired when you want to protect against potential certificates being compromised. For that reason, it is
      important to add an option, that when configured, we can limit the age of the certificate we accept for mTLS authentication.

      When enabled, this will force clients to have to renew certificates more frequently, reducing the exposure of a Cassandra cluster
      to leaked certificates.

      Attachments

        1. ci_summary.html
          7 kB
          Francisco Guerrero
        2. result_details.tar.gz
          40.54 MB
          Francisco Guerrero

        Issue Links

          Activity

            People

              frankgh Francisco Guerrero
              frankgh Francisco Guerrero
              Francisco Guerrero
              Abe Ratnofsky, Andy Tolbert, Dinesh Joshi
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 6h 10m
                  6h 10m