Details
-
New Feature
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
Operability
-
Normal
-
All
-
None
-
Description
In org.apache.cassandra.auth.MutualTlsAuthenticator, we validate that a certificate is valid by looking at the identities inside the
certificate and making sure the identity exists in the identity to role table.
In some situations we may want to restrict the certificates
we accept by rejecting certificates older than x amount of days. Some certificates can be generated with long expiration dates,
and this might be undesired when you want to protect against potential certificates being compromised. For that reason, it is
important to add an option, that when configured, we can limit the age of the certificate we accept for mTLS authentication.
When enabled, this will force clients to have to renew certificates more frequently, reducing the exposure of a Cassandra cluster
to leaked certificates.
Attachments
Attachments
Issue Links
- links to
