During work to migrate Cassandra to PKI, @elukey discovered that golang Cassandra clients do not validate any metadata of the TLS server certs (expiry date, chain, hostname, etc..). This seems to be true of at least the new AQS 2.0 services, image suggestions, and Kask (sessionstore & echostore).
Description
Description
Details
Details
Title | Reference | Author | Source Branch | Dest Branch | |
---|---|---|---|---|---|
Configure verification of server certificate chain and hostname | repos/mediawiki/services/kask!2 | eevans | enable_host_verification | main |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T352647 Move Cassandra clusters to PKI | |||
Open | None | T361964 Golang-based Cassandra clients do not perform TLS host verification |
Event Timeline
Comment Actions
eevans opened https://gitlab.wikimedia.org/repos/mediawiki/services/kask/-/merge_requests/2
Configure verification of server certificate chain and hostname
Comment Actions
eevans merged https://gitlab.wikimedia.org/repos/mediawiki/services/kask/-/merge_requests/2
Configure verification of server certificate chain and hostname
Comment Actions
@Eevans medium is going to mean that it will likely only make it into a sprint at the end of this quarter. Is that ok or is this a risk?
Comment Actions
It's been like this all along, so waiting until the end of the quarter is probably OK.
Comment Actions
We've encountered a problem enabling verification for gocql-based clients (see: T352647#9715110). We'll need to implement a custom HostDialer for Cassandra-connecting golang services before this work can continue.