Out of curiosity, I have two further questions.
1. I know the client can *optionally* provider a certificate for the TLS
handshake, but is it possible to *require* the client to provide a
certificate?
2. Does Cassandra check that the username matches the client
certificate? E.g. TLS client certificate is issued to "bob", but logging
in CQL using the username "charol".
If the answer to Q1 is "no", it's not mutual-TLS.
If the answer to Q2 is "no", it would mean that the TLS client
certificate is used for primary authentication (but not authorisation),
and the CQL username & password will be used for secondary
authentication and authorisation. Anyone who has a valid client
certificate and private key pair can impersonate any CQL user if they
know the username and password. Depending on the threat model, this may
or may not pose a security risk.
On 21/09/2021 23:16, Dinesh Joshi wrote:
It sort of supports it. You still need to send in the username/password
credentials along with the client certificate to authenticate. Cassandra will
not derive the identity purely from the client certificate.
Dinesh
On Sep 21, 2021, at 11:59 AM, S G<sg.online.em...@gmail.com> wrote:
Hello,
Does anyone know if opensource Cassandra support mutual-TLS ?
The documentation doesn't conclusively deny or accept the support for the same.
Thanks !
