Connecting to Cassandra using SSL

FelisOrion · March 23, 2020, 8:48pm

Hi everyone, I’m struggling to connect to Cassandra using SSL. Currently I’m trying elixir librari xandra witch seams to have this option but I can’t figure out how to do so. Documentation is not so clear about ssl option.

My connection code looking like this:

  {:ok, pid} = Xandra.start_link(nodes: ["cassandra.eu-central-1.amazonaws.com:9142"], encryption: true, transport_options: [certificate: "AmazonRootCA1.pem"], authentication: {Xandra.Authenticator.Password, options})

As error i got this message:

[error] ... action "TCP connect" failed with reason: {:options, {:keyfile, 'AmazonRootCA1.pem', []}}

Does I’m doing something wrong?

If someone have any clue how to connect to Cassandra please give me some hints.

Thank you all

voltone · March 24, 2020, 5:59am

Disclaimer: I have not used Cassandra or Xandra myself.

I would start by enabling encryption without any ssl options, just to see that the transport layer works. So encryption: true, transport_options: []. Assuming Xandra does not override any of the ssl options, this would establish a TLS connection, but without verifying the server’s certificate.

Once that is working I would set transport_options: [verify: :verify_peer, cacertfile: 'AmazonRootCA1.pem']. This will likely fail, because some further options are typically needed for AWS servers, but at least it should attempt the handshake. If instead this results in errors about the CA certificate, there may be a problem locating or reading the CA certificate file.

If the handshake results in ‘depth’ errors, because AWS servers tend to have a long certificate chain, add depth: 2 or depth: 3 so the ssl options (the default value is 1).

If you see errors about hostname verification, add customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)], to improve handling of wildcard certificates.

FelisOrion · March 24, 2020, 7:43am

Many thank for your quick reply, so encryption: true, transport_options: [] working as you said, seams that transport layer works. But once adding trasport_options parameters was getting error: reason: {:tls_alert, 'unknown ca'} with a bit of searching i was able to connect using option versions: [:'tlsv1.2']

this is complete configuration:

{:ok, pid} = Xandra.start_link(nodes: ["cassandra.eu-central-1.amazonaws.com:9142"], encryption: true, transport_options: [versions: [:'tlsv1.2'], cacertfile: "AmazonRootCA1.pem"],  authentication: {Xandra.Authenticator.Password, option})

I still need to figured out if everything work, but i was able to set keyspace so it seams working.

voltone · March 24, 2020, 8:14am

The :versions option should not really affect the certificate chain verification.

I believe the ‘unknown CA’ error happens because Amazon’s root CA is a cross-signed CA certificate, and the chain the server is sending includes the cross-signed intermediate version that was signed by another root CA. Such configurations are not very well supported by the :ssl application.

You can fix this by creating a CA store that includes both the Amazon root CA (from your current AmazonRootCA1.pem file) and the ‘/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority’ certificate (see below). Then update the :cacertfile option to point to that new file with both certs. That should work both with Amazon’s current configuration and in the future once they remove the cross-signing CAs and rely only on their own root CA.

During testing keep in mind that :ssl enables session reuse by default, meaning connections to a specific server will skip the TLS handshake if a prior connection to that server can be resumed. In that case, and new ssl options you passed will simply be ignored. If you restart your application every time this is not an issue, but it can bite you when trying things in iEX.

FelisOrion · March 24, 2020, 8:24am

Roger that, thank you so much for explanation and your time. I will try to do as you said.

Have a wonderful day and stay safe!