Page MenuHomePhabricator
Create Task
Maniphest T361964

Golang-based Cassandra clients do not perform TLS host verification
Open, MediumPublic
Actions

Description

During work to migrate Cassandra to PKI, @elukey discovered that golang Cassandra clients do not validate any metadata of the TLS server certs (expiry date, chain, hostname, etc..). This seems to be true of at least the new AQS 2.0 services, image suggestions, and Kask (sessionstore & echostore).

Details

TitleReferenceAuthorSource BranchDest Branch
Configure verification of server certificate chain and hostnamerepos/mediawiki/services/kask!2eevansenable_host_verificationmain
Customize query in GitLab

Related Objects
Search...

Event Timeline

Eevans triaged this task as Medium priority.Fri, Apr 5, 6:24 PM
Eevans created this task.
CodeReviewBot added a project: Patch-For-Review.Fri, Apr 5, 6:41 PM

eevans opened https://gitlab.wikimedia.org/repos/mediawiki/services/kask/-/merge_requests/2

Configure verification of server certificate chain and hostname

elukey updated the task description. (Show Details)Mon, Apr 8, 9:27 AM
taavi mentioned this in T362047: Phabricator gitlab panel is hard to read on narrow screens.Mon, Apr 8, 9:35 AM
CodeReviewBot added a comment.Mon, Apr 8, 2:11 PM

eevans merged https://gitlab.wikimedia.org/repos/mediawiki/services/kask/-/merge_requests/2

Configure verification of server certificate chain and hostname

Maintenance_bot removed a project: Patch-For-Review.Mon, Apr 8, 2:31 PM
VirginiaPoundstone added projects: Data Products, AQS2.0.Mon, Apr 8, 2:43 PM
VirginiaPoundstone subscribed.

Adding to Data Products team backlog.

WDoranWMF subscribed.Mon, Apr 8, 5:31 PM

@Eevans medium is going to mean that it will likely only make it into a sprint at the end of this quarter. Is that ok or is this a risk?

Eevans updated the task description. (Show Details)Wed, Apr 10, 1:10 PM
Eevans added a comment.Wed, Apr 10, 8:42 PM
In T361964#9698601, @WDoranWMF wrote:

@Eevans medium is going to mean that it will likely only make it into a sprint at the end of this quarter. Is that ok or is this a risk?

It's been like this all along, so waiting until the end of the quarter is probably OK.

VirginiaPoundstone moved this task from Incoming to To be discussed on the Data Products board.Mon, Apr 15, 7:28 PM
Eevans added a comment.Tue, Apr 16, 2:55 PM

We've encountered a problem enabling verification for gocql-based clients (see: T352647#9715110). We'll need to implement a custom HostDialer for Cassandra-connecting golang services before this work can continue.

Eevans renamed this task from (some?) golang-based Cassandra clients do not perform TLS host verification to Golang-based Cassandra clients do not perform TLS host verification.Tue, Apr 16, 2:55 PM
Eevans moved this task from Backlog to In-Progress on the Cassandra board.
VirginiaPoundstone moved this task from To be discussed to AQS Backlog on the Data Products board.Wed, Apr 17, 3:34 PM
WDoranWMF added a comment.Wed, Apr 17, 3:34 PM

@Eevans Please let us know when this is unblocked.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL