[
https://issues.apache.org/jira/browse/CASSJAVA-24?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bret McGuire updated CASSJAVA-24:
---------------------------------
Fix Version/s: 4.18.1
> Support reloading certificate stores in cassandra-java-driver
> -------------------------------------------------------------
>
> Key: CASSJAVA-24
> URL: https://issues.apache.org/jira/browse/CASSJAVA-24
> Project: Apache Cassandra Java driver
> Issue Type: New Feature
> Reporter: Abe Ratnofsky
> Assignee: Abe Ratnofsky
> Priority: Normal
> Fix For: 4.18.1
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> Currently, apache/cassandra-java-driver does not reload SSLContext when the
> underlying certificate store files change. When the DefaultSslEngineFactory
> (and the other factories) are set up, they build a fixed instance of
> javax.net.ssl.SSLContext that doesn't change:
> https://github.com/apache/cassandra-java-driver/blob/12e3e3ea027c51c5807e5e46ba542f894edfa4e7/core/src/main/java/com/datastax/oss/driver/internal/core/ssl/DefaultSslEngineFactory.java#L74
> This fixed SSLContext is used to negotiate SSL with the cluster, and if a
> keystore is reloaded on disk it isn't picked up by the driver, and future
> reconnections will fail if the keystore certificates have expired by the time
> they're used to handshake a new connection.
> We should reload client certificates so that applications that provide them
> can use short-lived certificates and not require a bounce to pick up new
> certificates. This is especially relevant in a world with CASSANDRA-18554 and
> broad use of mTLS.
> I have a patch for this that is nearly ready. Now that the project has moved
> under apache/ - who can I work with to understand how CI works now?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
