Skip to content

Instantly share code, notes, and snippets.

@cmouse

cmouse/cassandra.yaml Secret

Created Aug 24, 2020
Embed
What would you like to do?
client_encryption_options:
enabled: true
keystore: /etc/cassandra/keystore.p12
keystore_password: password
truststore: /etc/cassandra/truststore.p12
truststore_password: password
protocol: TLS
algorithm: SunX509
store_type: PKCS12
:~# openssl pkcs12 -info -aes256 -password pass:password -in /etc/cassandra/keystore.p12 -passin pass:password
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
friendlyName: cassandra
localKeyID: B7 32 3A 1F ED B6 63 F9 AC 9E B0 E2 2D 88 41 37 BE 0B 44 63
subject=C = FI, O = Dovecot, CN = localhost
issuer=C = FI, O = Dovecot, CN = Dovecot Server ECC Intermediate CA
-----BEGIN CERTIFICATE-----
MIIDcDCCAvagAwIBAgIBAzAKBggqhkjOPQQDAjBMMQswCQYDVQQGEwJGSTEQMA4G
A1UECgwHRG92ZWNvdDErMCkGA1UEAwwiRG92ZWNvdCBTZXJ2ZXIgRUNDIEludGVy
bWVkaWF0ZSBDQTAeFw0yMDA4MjQwODA5MzRaFw0yMTA4MjQwODA5MzRaMDMxCzAJ
BgNVBAYTAkZJMRAwDgYDVQQKDAdEb3ZlY290MRIwEAYDVQQDDAlsb2NhbGhvc3Qw
djAQBgcqhkjOPQIBBgUrgQQAIgNiAATuaaf3VWJNSXhZBQiIhGBQ29zNpmmZPsJo
d25Luf9C6P9nDlmDwveSPTNxBhYpcfR5QYIHcfVAigbjpFsa4eEw+1RhHbpPGDy5
ZdBbSezCJRBznuO3AO7Lw8ulC84EhXmjggHDMIIBvzAMBgNVHRMBAf8EAjAAMA4G
A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUU/u1
khP2dxAWMPOcbamF4EVz8E8wbAYDVR0jBGUwY4AUylD5S/dT6N6aJbrmAUtN5UpW
XeWhSKRGMEQxCzAJBgNVBAYTAkZJMRAwDgYDVQQKDAdEb3ZlY290MSMwIQYDVQQD
DBpEb3ZlY290IFNlcnZlciBFQ0MgUk9PVCBDQYIBAjAzBgNVHR8ELDAqMCigJqAk
hiJodHRwOi8vbG9jYWxob3N0L2NhL3Jldm9jYXRpb24uY3JsMGAGCCsGAQUFBwEB
BFQwUjAtBggrBgEFBQcwAoYhaHR0cDovL2xvY2FsaG9zdC9jYS9jYWlzc3VlcnMu
Y3J0MCEGCCsGAQUFBzABhhVodHRwOi8vbG9jYWxob3N0L29jc3AwZgYDVR0RBF8w
XYIJbG9jYWxob3N0gglsb2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpbocE
fwAAAYcQAAAAAAAAAAAAAAAAAAAAAYcEfwAAAocQAAAAAAAAAAAAAAAAAAAAAjAK
BggqhkjOPQQDAgNoADBlAjEAy/MLAthtB9QkqYFmAkSprZGBKfQUCHOFuplD+ETc
Ugni0x/OAlYMKkJNn9MVYsr0AjBbEtgIh5IqWJIgyMGo+eXQFvBdIHbcb+xUCb2i
a9Es0dsMuAvhyIWZUjO/VoqhZM8=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <No Attributes>
subject=C = FI, O = Dovecot, CN = Dovecot Server ECC Intermediate CA
issuer=C = FI, O = Dovecot, CN = Dovecot Server ECC ROOT CA
-----BEGIN CERTIFICATE-----
MIICujCCAkGgAwIBAgIBAjAKBggqhkjOPQQDAjBEMQswCQYDVQQGEwJGSTEQMA4G
A1UECgwHRG92ZWNvdDEjMCEGA1UEAwwaRG92ZWNvdCBTZXJ2ZXIgRUNDIFJPT1Qg
Q0EwHhcNMjAwODI0MDgwOTM0WhcNMjEwODI0MDgwOTM0WjBMMQswCQYDVQQGEwJG
STEQMA4GA1UECgwHRG92ZWNvdDErMCkGA1UEAwwiRG92ZWNvdCBTZXJ2ZXIgRUND
IEludGVybWVkaWF0ZSBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABArOJZ0T4xsT
Wx9hS64xRurOgA/+fiqH9yPk1AKCyJfoK0xoviLnG0it2FGSFG5Hi3/Xv5p38WPM
AdhIs15IWiE5zuPD9P+Juh+UdJAlTZUe8vCIKBHvlQfi/6YowwUPm6OB/jCB+zAd
BgNVHQ4EFgQUylD5S/dT6N6aJbrmAUtN5UpWXeUwHwYDVR0jBBgwFoAUc3zXuvgl
tHWZZDsTP3f3K07i2B0wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMC
AYYwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2xvY2FsaG9zdC9jYS9yZXZvY2F0
aW9uLmNybDBgBggrBgEFBQcBAQRUMFIwLQYIKwYBBQUHMAKGIWh0dHA6Ly9sb2Nh
bGhvc3QvY2EvY2Fpc3N1ZXJzLmNydDAhBggrBgEFBQcwAYYVaHR0cDovL2xvY2Fs
aG9zdC9vY3NwMAoGCCqGSM49BAMCA2cAMGQCMECPDE0Mc/eGYmEODz94kZxOoU30
XOLS5eeo6mNcHgJ5Mf28YpaM9TQ8965ELkbAdgIwQOMSA5NTCMGxkLJgwq8xbtcY
9Y+VhNnOV7RhgZMpGbV5AixaXOSdBhwN+9ncXDkm
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
friendlyName: cassandra
localKeyID: B7 32 3A 1F ED B6 63 F9 AC 9E B0 E2 2D 88 41 37 BE 0B 44 63
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBHDBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQImdDodcWYCaMCAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBC/7GXqY5iGWujK3CeEo9otBIHA
PHQOaSClTie0f7oLKVJcIY+JTjfm6az7JvMoJaYCWmLh2q1zujcwRGWTH35lgJXw
NWRFCDzp93Lx2Gqz6LvGD9RiWlD4F9HkiJKOee7SBWOnLd0uHLYcj5muzQMY9GBp
YVSehgsWKX/vRWKItrdjrpzyQ9y2XKmpvcoLvw8cNSwVLW8Q3bCUmlM4kDZT7URV
gF7Ph/Kn9ji64P8dHlf0ik8CdT/AavZfZd3a1g/5zXQUNwdc8T/EbyTo0dpypcKa
-----END ENCRYPTED PRIVATE KEY-----
# env SSL_CERTFILE=/tmp/testrun-200824_080933/dict-sql-ssl/etc/dovecot/ec-server-ca.pem cqlsh --ssl
Connected to ci-cluster at localhost:9042.
[cqlsh 5.0.1 | Cassandra 3.11.6 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cqlsh> DESCRIBE KEYSPACES;
system_traces system_schema system_auth system system_distributed
cqlsh>
#include <stdio.h>
#include <stdlib.h>
#include <cassandra.h>
static const char *server_ca_cert =
"-----BEGIN X509 CRL-----\n"
"MIIBajCB8QIBATAKBggqhkjOPQQDAjBEMQswCQYDVQQGEwJGSTEQMA4GA1UECgwH\n"
"RG92ZWNvdDEjMCEGA1UEAwwaRG92ZWNvdCBTZXJ2ZXIgRUNDIFJPT1QgQ0EXDTIw\n"
"MDgyNDA4MDkzNFoXDTIwMDkyMzA4MDkzNFqgfDB6MGwGA1UdIwRlMGOAFHN817r4\n"
"JbR1mWQ7Ez939ytO4tgdoUikRjBEMQswCQYDVQQGEwJGSTEQMA4GA1UECgwHRG92\n"
"ZWNvdDEjMCEGA1UEAwwaRG92ZWNvdCBTZXJ2ZXIgRUNDIFJPT1QgQ0GCAQEwCgYD\n"
"VR0UBAMCAQEwCgYIKoZIzj0EAwIDaAAwZQIwbAmAEEPhoOnkQvdO1m6CIO4tzg0F\n"
"L8K1iiVfSgwa//eamXBej2v4daSL0onsPWriAjEA6zwYb3Hi/ceyDff93U30yYVa\n"
"B61D3v+HBUxH7aoFBpMCYBvDgF8V7ltDIVt9Aaoj\n"
"-----END X509 CRL-----\n"
"-----BEGIN X509 CRL-----\n"
"MIIBcTCB+QIBATAKBggqhkjOPQQDAjBMMQswCQYDVQQGEwJGSTEQMA4GA1UECgwH\n"
"RG92ZWNvdDErMCkGA1UEAwwiRG92ZWNvdCBTZXJ2ZXIgRUNDIEludGVybWVkaWF0\n"
"ZSBDQRcNMjAwODI0MDgwOTM0WhcNMjAwOTIzMDgwOTM0WqB8MHowbAYDVR0jBGUw\n"
"Y4AUylD5S/dT6N6aJbrmAUtN5UpWXeWhSKRGMEQxCzAJBgNVBAYTAkZJMRAwDgYD\n"
"VQQKDAdEb3ZlY290MSMwIQYDVQQDDBpEb3ZlY290IFNlcnZlciBFQ0MgUk9PVCBD\n"
"QYIBAjAKBgNVHRQEAwIBAjAKBggqhkjOPQQDAgNnADBkAjAC9nll//owT11sYub/\n"
"ZZAtW2VnjLm8FXxNd/nBNmHM1V6d5ee46khbReciy2Xt9ewCMCrAYgLX7oiY2YbR\n"
"Y/xqZIP5txkfoE8dmcZyQdu8MmdFEyG6IhDiF92FpxQ7Z8j/Ug==\n"
"-----END X509 CRL-----\n"
"Certificate:\n"
" Data:\n"
" Version: 3 (0x2)\n"
" Serial Number: 1 (0x1)\n"
" Signature Algorithm: ecdsa-with-SHA256\n"
" Issuer: C=FI, O=Dovecot, CN=Dovecot Server ECC ROOT CA\n"
" Validity\n"
" Not Before: Aug 24 08:09:34 2020 GMT\n"
" Not After : Aug 24 08:09:34 2021 GMT\n"
" Subject: C=FI, O=Dovecot, CN=Dovecot Server ECC ROOT CA\n"
" Subject Public Key Info:\n"
" Public Key Algorithm: id-ecPublicKey\n"
" Public-Key: (384 bit)\n"
" pub:\n"
" 04:b5:dd:30:33:21:19:75:12:c2:3b:6e:4c:5b:a9:\n"
" b9:c7:99:30:c7:ed:5b:7d:05:06:7e:c3:2a:af:d1:\n"
" 6b:ba:f9:9a:bc:95:79:bd:12:2a:fb:62:5f:42:a5:\n"
" 33:37:aa:af:77:82:3e:41:e0:1c:29:d7:a1:bd:a6:\n"
" 78:06:95:bb:bd:85:03:a0:0f:99:67:35:04:95:41:\n"
" c9:96:e9:7c:39:2c:0d:23:33:38:a4:97:c3:cc:63:\n"
" 02:52:95:bf:f9:af:84\n"
" ASN1 OID: secp384r1\n"
" NIST CURVE: P-384\n"
" X509v3 extensions:\n"
" X509v3 Subject Key Identifier: \n"
" 73:7C:D7:BA:F8:25:B4:75:99:64:3B:13:3F:77:F7:2B:4E:E2:D8:1D\n"
" X509v3 Authority Key Identifier: \n"
" keyid:73:7C:D7:BA:F8:25:B4:75:99:64:3B:13:3F:77:F7:2B:4E:E2:D8:1D\n"
"\n"
" X509v3 Basic Constraints: critical\n"
" CA:TRUE, pathlen:1\n"
" X509v3 Key Usage: critical\n"
" Digital Signature, Certificate Sign, CRL Sign\n"
" Signature Algorithm: ecdsa-with-SHA256\n"
" 30:64:02:30:3d:47:85:c2:ca:2f:6d:09:52:a5:24:5c:e9:d2:\n"
" 40:80:2f:fd:f4:b0:ae:e5:48:c7:7b:24:17:ed:6c:7b:59:e9:\n"
" 14:3d:ae:d4:f7:03:40:c4:9b:5a:ad:c1:84:f8:54:0d:02:30:\n"
" 3d:52:2f:07:1e:e9:d3:b0:f1:08:ce:25:0d:98:0c:05:fe:dc:\n"
" 71:ec:e7:3f:cd:c4:be:ed:6f:1a:de:19:67:0e:ea:cd:bf:4d:\n"
" bf:51:8b:e1:4c:be:fb:78:af:ce:cc:5a\n"
"-----BEGIN CERTIFICATE-----\n"
"MIICGTCCAaCgAwIBAgIBATAKBggqhkjOPQQDAjBEMQswCQYDVQQGEwJGSTEQMA4G\n"
"A1UECgwHRG92ZWNvdDEjMCEGA1UEAwwaRG92ZWNvdCBTZXJ2ZXIgRUNDIFJPT1Qg\n"
"Q0EwHhcNMjAwODI0MDgwOTM0WhcNMjEwODI0MDgwOTM0WjBEMQswCQYDVQQGEwJG\n"
"STEQMA4GA1UECgwHRG92ZWNvdDEjMCEGA1UEAwwaRG92ZWNvdCBTZXJ2ZXIgRUND\n"
"IFJPT1QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAS13TAzIRl1EsI7bkxbqbnH\n"
"mTDH7Vt9BQZ+wyqv0Wu6+Zq8lXm9Eir7Yl9CpTM3qq93gj5B4Bwp16G9pngGlbu9\n"
"hQOgD5lnNQSVQcmW6Xw5LA0jMzikl8PMYwJSlb/5r4SjZjBkMB0GA1UdDgQWBBRz\n"
"fNe6+CW0dZlkOxM/d/crTuLYHTAfBgNVHSMEGDAWgBRzfNe6+CW0dZlkOxM/d/cr\n"
"TuLYHTASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO\n"
"PQQDAgNnADBkAjA9R4XCyi9tCVKlJFzp0kCAL/30sK7lSMd7JBftbHtZ6RQ9rtT3\n"
"A0DEm1qtwYT4VA0CMD1SLwce6dOw8QjOJQ2YDAX+3HHs5z/NxL7tbxreGWcO6s2/\n"
"Tb9Ri+FMvvt4r87MWg==\n"
"-----END CERTIFICATE-----\n";
int main(void)
{
cass_log_set_level(CASS_LOG_TRACE);
CassCluster *cluster = cass_cluster_new();
CassSsl *ssl = cass_ssl_new();
cass_ssl_add_trusted_cert(ssl, server_ca_cert);
cass_ssl_set_verify_flags(ssl, CASS_SSL_VERIFY_PEER_CERT);
cass_cluster_set_ssl(cluster, ssl);
cass_ssl_free(ssl);
cass_cluster_set_contact_points(cluster, "127.0.0.1");
cass_cluster_set_protocol_version(cluster, CASS_PROTOCOL_VERSION_V4);
CassSession *session = cass_session_new();
cass_session_connect_keyspace(session, cluster, "test");
cass_session_free(session);
cass_cluster_free(cluster);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.