Datastax Cassandra - Cqlsh with SSL not working

1
votes

I've installed a single-node Datastax Cassandra v3.5 cluster on my Ubuntu machine. I'm trying to connect to the node using the command-line interface cqlsh using the SSL option without success (from the same machine). The steps I followed are:

  • Prepared the .keystore, .cer certificate and .truststore following this guide http://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html

  • Modified my cassandra.yaml accordingly:

    client_encryption_options: enabled: true optional: false keystore: /************************/.keystore keystore_password: ************************ require_client_auth: false # Set trustore and truststore_password if require_client_auth is true truststore: /************************/.truststore truststore_password: ************************

  • Created a cqlshrc conf file and filled it following this guide https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureCqlshSSL_t.html :

    [connection] hostname = ***** port = 9042 factory = cqlshlib.ssl.ssl_transport_factory [ssl] certfile = /home/conf/mycert.cer validate = true ## Optional, true by default

So basically I created a private and public key, pointed Cassandra to my .keystore and .truststore (even tho I don't think it's necessary because I'm not enforcing the client auth) and cqlsh to the public key (certificate).

Whenever I try to launch cqlsh --ssl I get always the same error and not a single debug message inside Cassandra. The error message is:

Connection error: ('Unable to connect to any servers', {'*.*****.******': error(0, "Tried connecting to [('..*.***', 9042)]. Last error: _ssl.c:344:error:00000000:lib(0):func(0):reason(0)")})

Just a side note, if I remove SSL authentication everything works perfectly.

EDIT

I've solved my initial issue following @Adam Holmberg suggestion but still no luck with the SSL connection. I checked that I have JCE libraries installed and I've been trying to enforce cqslh to use SSLv23 or TLSv1 to establish the connection to the Cassandra server but I receive the following error all the times:

Connection error: ('Unable to connect to any servers', ... ... ... Last error: _ssl.c:510: EOF occurred in violation of protocol")})

Moreover, I've also added the JVM option -Djavax.net.debug=all to no avail, I don't see any additional log about ssl.

3
sslcassandradatastax
Did you install the JCE libraries? - Aaron
Just a thought, but do you need to support two-way SSL? If not, try setting validate = false in both your cqlshrc and cassandra.yaml. - Aaron

3 Answers

4
votes

Assuming "/home/conf/mycert.cer" is the file you created during server configuration, that is not the right format for Python (cqlsh). You need to export it in PEM format for Python:

keytool -exportcert -alias <alias> -keypass <pass> -keystore <keystore> -storepass <pass> -rfc -file cassandra_cert.pem

If you're just experimenting with cqlsh and are not concerned about true security, you can also omit those options (validate, certfile) from cqlshrc and connect with no cert validation.

2
votes

After some trial and error and some useful hints gave by @Adam and @Aaron (thanks for the help) I managed to finally establish an SSL connection between cqlsh and my Cassandra server instance.

After pondering about the issue, I came to the conclusion that there was some kind of additional configuration error in both client and server and to help other people that may face the same issue I'll post here my final configuration:

cqlshrc

[connection]
hostname = *****.*****.*****.*****.*****
port = 9042

[cql]
version = 3.4

[tracing]
max_trace_wait = 10.0

[ssl]
certfile = /****/****/****/****.cer.pem
validate = false ## Optional, true by default
#version = SSLv23
#factory = cqlshlib.ssl.ssl_transport_factory

cassandra.yaml (relevant part)

# enable or disable client/server encryption.
client_encryption_options:
    enabled: true
    # If enabled and optional is set to true encrypted and unencrypted connections are handled.
    optional: false
    keystore: /***/****/****/.keystore
    keystore_password: *********
    require_client_auth: false
    # Set trustore and truststore_password if require_client_auth is true
    truststore: /****/****/****/.truststore
    truststore_password: ****
    # More advanced defaults below:
    # protocol: TLSv1
    # algorithm: SunX509
    # store_type: JKS
    # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
0
votes

I was getting the error: Last error: [SSL] internal error (_ssl.c:727)

What have solved this was adding the line of the SSL version at cqlshrc file:

[connection]
(...)
version = SSLv23