Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

latte has no option to force hostname validation #15

Closed
dimakr opened this issue Nov 4, 2024 · 2 comments · Fixed by #18
Closed

latte has no option to force hostname validation #15

dimakr opened this issue Nov 4, 2024 · 2 comments · Fixed by #18
Assignees
Labels
enhancement New feature or request

Comments

@dimakr
Copy link

dimakr commented Nov 4, 2024

latte has no option to enforce hostname validation when client-to-node encryption is enabled.

The tool uses openssl crate for configuring SSL context. There, when ssl context is initialized the default SSL verify mode is SSL_VERIFY_NONE. This means that no verification of the server certificate will occur on TLS handshake.
To enable certificate validation, including hostname, SSL_VERIFY_PEER mode should be explicitly set in latte during SSL context building.

We need to consider if we want to enable hostname validation in latte (maybe latte run command can be also changed, to have hostname validation enabled only if requested).

NOTE: this was originally created as a qa-task https://github.com/scylladb/qa-tasks/issues/1770, as latte repo didn't have issues section enabled. Now moving this to latte issues.

@dimakr dimakr self-assigned this Nov 4, 2024
@dimakr dimakr added the enhancement New feature or request label Nov 5, 2024
dimakr added a commit to dimakr/latte that referenced this issue Nov 6, 2024
The change adds support of verification if the peer's certificate is trusted.

Fixes: scylladb#15
@dimakr
Copy link
Author

dimakr commented Nov 6, 2024

PR #18 addresses peer verification in general - so that we can ensure during TLS handshake that latte talks to a trusted server, i.e. the server presents certificate which is signed by the CA that is trusted by latte.

But the hostname verification cannot be enforced from latte side for now, as scylla-rust-driver has no support for it. An issue/feature request will raised for scylla-rust-driver, and onnce implemented we can enable hostname verification in latte as well.

@dimakr
Copy link
Author

dimakr commented Nov 6, 2024

Created scylladb/scylla-rust-driver#1116 feature request for scylla-rust-driver, to add support for hostname verification in the driver.

vponomaryov pushed a commit that referenced this issue Nov 7, 2024
The change adds support of verification if the peer's certificate is trusted.

Fixes: #15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant