search

thelastpickle / cassandra-medusa

Apache Cassandra Backup and Restore Tool
Apache License 2.0
266 stars 143 forks source link

Support SSL without cert files #563

Open mohammad-aburadeh opened 1 year ago

mohammad-aburadeh commented 1 year ago

Project board link

Hi,

We have production Cassandra clusters where SSL (client_encryption_options) is enabled with no validation is required (require_client_auth: false).

But medusa does not support enabling SSL without cert file.

The current connection code in medusa is:

`

  if self._cassandra_config.certfile is not None:
        ssl_context = SSLContext(PROTOCOL_TLSv1_2)
        ssl_context.load_verify_locations(self._cassandra_config.certfile)
        ssl_context.verify_mode = CERT_REQUIRED
        if self._cassandra_config.usercert is not None and self._cassandra_config.userkey is not None:
            ssl_context.load_cert_chain(
                certfile=self._cassandra_config.usercert,
                keyfile=self._cassandra_config.userkey)
        self._ssl_context = ssl_context

`

As you see in the above code, SSL is enabled if the "certfile" is provided. But in our case SSL validation is not enabled. We need a way to connect to the cluster without a certfile.

Simply the code should be like this:

`

  if self._cassandra_config.ssl == True: 
      ssl_context = SSLContext(PROTOCOL_TLSv1_2)

        if self._cassandra_config.certfile is not None:

              ssl_context.load_verify_locations(self._cassandra_config.certfile)
              ssl_context.verify_mode = CERT_REQUIRED
              if self._cassandra_config.usercert is not None and self._cassandra_config.userkey is not None:
                  ssl_context.load_cert_chain(
                      certfile=self._cassandra_config.usercert,
                      keyfile=self._cassandra_config.userkey)
        self._ssl_context = ssl_context

`

Could you please help to support this in medusa ??

Regards Mohammad

┆Issue is synchronized with this Jira Story by Unito ┆Issue Number: MED-30

mohammad-aburadeh commented 1 year ago

Hi @adejanovski

Is there a plan to fix this?

Regards Mohammad

Miles-Garnsey commented 1 year ago

Hi @mohammad-aburadeh, SSL requires each party to have a certificate, that's just how public key encryption works unfortunately.

If you have host verification turned off, perhaps you can create a self signed certificate and use that?