Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SSL without cert files #563

Open
mohammad-aburadeh opened this issue Feb 14, 2023 · 2 comments · May be fixed by #736
Open

Support SSL without cert files #563

mohammad-aburadeh opened this issue Feb 14, 2023 · 2 comments · May be fixed by #736
Assignees
@Miles-Garnsey
Labels
enhancement New feature or request product-backlog Issues in the state 'product-backlog'

Comments

@mohammad-aburadeh
Copy link
Contributor

mohammad-aburadeh commented Feb 14, 2023
edited by sync-by-unito bot
Loading

Project board link

Hi,

We have production Cassandra clusters where SSL (client_encryption_options) is enabled with no validation is required (require_client_auth: false).

But medusa does not support enabling SSL without cert file.

The current connection code in medusa is:

`

  if self._cassandra_config.certfile is not None:
        ssl_context = SSLContext(PROTOCOL_TLSv1_2)
        ssl_context.load_verify_locations(self._cassandra_config.certfile)
        ssl_context.verify_mode = CERT_REQUIRED
        if self._cassandra_config.usercert is not None and self._cassandra_config.userkey is not None:
            ssl_context.load_cert_chain(
                certfile=self._cassandra_config.usercert,
                keyfile=self._cassandra_config.userkey)
        self._ssl_context = ssl_context

`

As you see in the above code, SSL is enabled if the "certfile" is provided.
But in our case SSL validation is not enabled.
We need a way to connect to the cluster without a certfile.

Simply the code should be like this:

`

  if self._cassandra_config.ssl == True: 
      ssl_context = SSLContext(PROTOCOL_TLSv1_2)
    
        if self._cassandra_config.certfile is not None:
              
              ssl_context.load_verify_locations(self._cassandra_config.certfile)
              ssl_context.verify_mode = CERT_REQUIRED
              if self._cassandra_config.usercert is not None and self._cassandra_config.userkey is not None:
                  ssl_context.load_cert_chain(
                      certfile=self._cassandra_config.usercert,
                      keyfile=self._cassandra_config.userkey)

        self._ssl_context = ssl_context

`

Could you please help to support this in medusa ??

Regards
Mohammad

┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: MED-30
@adejanovski adejanovski added the new Issues requiring triage label Feb 14, 2023
@mohammad-aburadeh
Copy link
Contributor Author

Hi @adejanovski

Is there a plan to fix this?

Regards
Mohammad

@Miles-Garnsey Miles-Garnsey moved this to Assess/Investigate in K8ssandra May 16, 2023
@Miles-Garnsey
Copy link

Hi @mohammad-aburadeh, SSL requires each party to have a certificate, that's just how public key encryption works unfortunately.

If you have host verification turned off, perhaps you can create a self signed certificate and use that?

@Miles-Garnsey Miles-Garnsey moved this from Assess/Investigate to In Progress in K8ssandra May 16, 2023
@adejanovski adejanovski added the in-progress Issues in the state 'in-progress' label May 16, 2023
@Miles-Garnsey Miles-Garnsey self-assigned this May 16, 2023
@adejanovski adejanovski moved this from In Progress to Product Backlog in K8ssandra Jun 13, 2023
@adejanovski adejanovski added product-backlog Issues in the state 'product-backlog' and removed in-progress Issues in the state 'in-progress' labels Jun 13, 2023
@rzvoncek rzvoncek added enhancement New feature or request and removed new Issues requiring triage labels Apr 3, 2024
@rzvoncek rzvoncek mentioned this issue Apr 4, 2024
Open
@mohammad-aburadeh mohammad-aburadeh linked a pull request Apr 5, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Miles-Garnsey Miles-Garnsey

Labels
enhancement New feature or request product-backlog Issues in the state 'product-backlog'
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable SSL without client verification mohammad-aburadeh/cassandra-medusa
4 participants
@rzvoncek @adejanovski @Miles-Garnsey @mohammad-aburadeh