Certificate verification failed

[difrost...@gmail.com]

Hi,

I've got a C* setup with SSL enabled (per node certs with CN set to hostname) and client-to-node encryption. While cqlsh work correctly I can't get the cpp-driver to verify certificate (with verification disabled I can connect to that node). It throws following error:

Error verifying peer certificate: self signed certificate in certificate chain.

openssl is able to verify node certificate with the ca chain specified (same used by the driver):
# openssl s_client -connect node:9042 -showcerts -CAfile /etc/certs/ca.pem
[!snip]
No client certificate CA names sent
---
SSL handshake has read 3794 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
[!snip]
Verify return code: 0 (ok)

Any ideas on what can go wrong here?

Cheers,
-Jacek

[Michael Penick]

Do you have hostname resolution enabled? It can be enabled using cass_cluster_set_use_hostname_resolution().

More information: https://github.com/datastax/cpp-driver/blob/2.7.0/include/cassandra.h#L1753-L1754

Mike

--
You received this message because you are subscribed to the Google Groups "DataStax C++ Driver for Apache Cassandra User Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cpp-driver-user+unsubscribe@lists.datastax.com.

[difrost...@gmail.com]

Yes, of course I've got that enabled.

-Jacek

> To unsubscribe from this group and stop receiving emails from it, send an email to cpp-driver-us...@lists.datastax.com.

[difrost...@gmail.com]

I would like to debug that issue.

Michael can you point me out into a good starting direction? This happens on session start so I guess it would be: ssl_session_->verify() ?

Cheers,

-Jacek

On Monday, July 17, 2017 at 4:00:31 PM UTC+2, Michael Penick wrote:

> To unsubscribe from this group and stop receiving emails from it, send an email to cpp-driver-us...@lists.datastax.com.

[Michael Penick]

Thanks. That would be very helpful. 

Yes, `ssl_session_->verify()` is a good entry point. Its ends up here: https://github.com/datastax/cpp-driver/blob/2.7.0/src/ssl/ssl_openssl_impl.cpp#L470-L487. `OpenSslVerifyIdentity::match_dns()` is likely not returning a match.

Let me know if you have any questions or feedback.

Mike

To unsubscribe from this group and stop receiving emails from it, send an email to cpp-driver-user+unsubscribe@lists.datastax.com.

[difrost...@gmail.com]

We are actually failing here: https://github.com/datastax/cpp-driver/blob/3c55e33328dd36c78b43be754a5056e7ddc5b6ea/src/ssl/ssl_openssl_impl.cpp#L443

Looks like cert is missing on verification same as in below:
openssl s_client -connect node:9042 -showcerts | grep Verify
verify error:num=19:self signed certificate in certificate chain
verify return:0
Verify return code: 19 (self signed certificate in certificate chain)

This looks like a valid failure point as setting cass_ssl_set_verify_flags (ssl, CASS_SSL_VERIFY_PEER_IDENTITY_DNS) bypass peer verification but performs DNS matching. Here session starts without errors.

-Jacek

> To unsubscribe from this group and stop receiving emails from it, send an email to cpp-driver-us...@lists.datastax.com.