I've installed a single-node Datastax Cassandra v3.5 cluster on my Ubuntu machine. I'm trying to connect to the node using the command-line interface cqlsh using the SSL option without success (from the same machine). The steps I followed are:
- Prepared the .keystore, .cer certificate and .truststore following this guide http://docs.datastax.com/en/cassandra/2.0/cassandra/security/secureSSLCertificates_t.html
-
Modified my cassandra.yaml accordingly:
client_encryption_options:
enabled: true
optional: false
keystore: /************************/.keystore
keystore_password: ************************
require_client_auth: false
# Set trustore and truststore_password if require_client_auth is true
truststore: /************************/.truststore
truststore_password: ************************ -
Created a cqlshrc conf file and filled it following this guide https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureCqlshSSL_t.html :
[connection]
hostname = *****
port = 9042
factory = cqlshlib.ssl.ssl_transport_factory
[ssl]
certfile = /home/conf/mycert.cer
validate = true ## Optional, true by default
So basically I created a private and public key, pointed Cassandra to my .keystore and .truststore (even tho I don't think it's necessary because I'm not enforcing the client auth) and cqlsh to the public key (certificate).
Whenever I try to launch cqlsh --ssl
I get always the same error and not a single debug message inside Cassandra. The error message is:
Connection error: ('Unable to connect to any servers',
{'*.*****.******': error(0, "Tried connecting to
[('..*.***', 9042)]. Last error: _ssl.c:344:error:00000000:lib(0):func(0):reason(0)")})
Just a side note, if I remove SSL authentication everything works perfectly.
EDIT
I've solved my initial issue following @Adam Holmberg suggestion but still no luck with the SSL connection. I checked that I have JCE libraries installed and I've been trying to enforce cqslh to use SSLv23 or TLSv1 to establish the connection to the Cassandra server but I receive the following error all the times:
Connection error: ('Unable to connect to any servers', … … …
Last error: _ssl.c:510: EOF occurred in violation of protocol")})
Moreover, I've also added the JVM option -Djavax.net.debug=all to no avail, I don't see any additional log about ssl.
Best Answer
Assuming "/home/conf/mycert.cer" is the file you created during server configuration, that is not the right format for Python (cqlsh). You need to export it in PEM format for Python:
If you're just experimenting with cqlsh and are not concerned about true security, you can also omit those options (validate, certfile) from cqlshrc and connect with no cert validation.