Checking SSL connectivity

[ashetkar]

Hi,

I'm trying to connect an app to a cluster with ssl enabled. I'm providing below properties while connecting.

javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.trustStoreType

But I get the error No subject alternative names present.
Is there any other way to provide ssl config to the driver? Or is there any config I may be missing?

[maximevw]

Hello @ashetkar ,

Typically, the error "No subject alternative names present" appears when the server certificate's CN does not match the server hostname and there is no alternative names in the certificate potentially matching the hostname.

By default, when using the JSSE properties as you did, the connection will be established using the DefaultSslEngineFactory in which the hostname verification is activated by default:

# Whether or not to require validation that the hostname of the server certificate's common
# name matches the hostname of the server being connected to. If not set, defaults to true.
// hostname-validation = true

(See: https://docs.datastax.com/en/developer/java-driver/4.14/manual/core/ssl/)

I probably should add an additional parameter in a future version to allow disabling the hostname validation when using the JSSE properties and avoid such error when the certificate's CN/SAN do not match the hostname (which is not really a good practice though).

As explained here: https://github.com/ing-bank/cassandra-jdbc-wrapper#secure-connection-with-ssl, it is also possible to provide a custom SslEngineFactory implementation but it can be a little bit tricky and requires to write a custom class to manage the SSL parameters.

An other alternative consists in using a standard Cassandra configuration file including the advanced.ssl-engine-factory section as documented here:

• https://docs.datastax.com/en/developer/java-driver/4.14/manual/core/ssl/#jsse-property-based
• https://github.com/ing-bank/cassandra-jdbc-wrapper/blob/release/next/README.md#using-a-configuration-file

[ashetkar]

Thanks @maximevw for the prompt response.
Does the current version of the JDBC wrapper support disabling the hostname validation through the configuration file (application.conf)?

Yes, I too was looking for a way to ensure the host-verification. But it seems that I need to either relook at the certificates or implement the SslEngineFactory interface.

[maximevw]

Hi,
When a configuration file is specified, all the query parameters (except the contact points and the keyspace) are ignored and the configuration is delegated by the wrapper to the Datastax driver through the given configuration file. So, if you disable the hostname verification in ˋapplication.confˋ and pass it to the wrapper, it should work (if there is no bug neither in the wrapper nor in the Datastax driver).
Note that I never tested this specific parameter via the configuration file.

[ashetkar]

Thanks @maximevw
Providing it as a system property did not work for me (System.setProperty("-Ddatastax-java-driver.advanced.ssl-engine-factory.hostname-validation", "false");).

But when I added it to application.conf file and put it in the classpath, it did!

[maximevw]

You're welcome @ashetkar.
Indeed, this is a totally expected behaviour: only the standard JSSE system properties are used by the driver, any other system property is ignored.