You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
latte has no option to enforce hostname validation when client-to-node encryption is enabled.
The tool uses openssl crate for configuring SSL context. There, when ssl context is initialized the default SSL verify mode is SSL_VERIFY_NONE. This means that no verification of the server certificate will occur on TLS handshake.
To enable certificate validation, including hostname, SSL_VERIFY_PEER mode should be explicitly set in latte during SSL context building.
We need to consider if we want to enable hostname validation in latte (maybe latte run command can be also changed, to have hostname validation enabled only if requested).
PR #18 addresses peer verification in general - so that we can ensure during TLS handshake that latte talks to a trusted server, i.e. the server presents certificate which is signed by the CA that is trusted by latte.
But the hostname verification cannot be enforced from latte side for now, as scylla-rust-driver has no support for it. An issue/feature request will raised for scylla-rust-driver, and onnce implemented we can enable hostname verification in latte as well.
latte has no option to enforce hostname validation when client-to-node encryption is enabled.
The tool uses openssl crate for configuring SSL context. There, when ssl context is initialized the default SSL verify mode is SSL_VERIFY_NONE. This means that no verification of the server certificate will occur on TLS handshake.
To enable certificate validation, including hostname, SSL_VERIFY_PEER mode should be explicitly set in latte during SSL context building.
We need to consider if we want to enable hostname validation in latte (maybe latte run command can be also changed, to have hostname validation enabled only if requested).
NOTE: this was originally created as a qa-task https://github.com/scylladb/qa-tasks/issues/1770, as latte repo didn't have issues section enabled. Now moving this to latte issues.
The text was updated successfully, but these errors were encountered: