Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Nguyen, Kyle kyle.nguyen at philips.com
Tue Aug 30 15:01:21 EDT 2016


Hi Luke,

I believe this is not the case. The Java riak-client (version 2.0.6) that I used does validate the server's cert but not checking on server's CN. If I replaced getACert CA in the trustor with another unknown CA then SSL will fail with "unable to find valid certification path to requested target". I don't even see an option to ignore server cert validation on the client side. I am wondering if you can help provide some details related to SSL certification validation configuration.

My riak node builder code:
RiakNode.Builder builder = new RiakNode.Builder().withRemoteAddress("127.0.0.1").withRemotePort(8087);
            builder.withAuth(username, password, trustStore, keyStore, keyPasswd);

Thanks

-Kyle-


-----Original Message-----
From: Luke Bakken [mailto:lbakken at basho.com]
Sent: Tuesday, August 30, 2016 7:14 AM
To: Nguyen, Kyle
Cc: Riak Users
Subject: Re: Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Kyle -

The CN should be either the DNS-resolvable host name of the Riak node, or its IP address (without "riak@"). Then, the Java client should be configured to use that to connect to the node (either DNS or IP).
Without doing that, I really don't have any idea how the Java client is validating the server certificate during TLS handshake. Did you configure the client to *not* validate the server cert?

--
Luke Bakken
Engineer
lbakken at basho.com


On Mon, Aug 29, 2016 at 3:18 PM, Nguyen, Kyle <kyle.nguyen at philips.com> wrote:
> Hi Luke,
>
> The CN for client's certificate is "kyle" and the CN for riak cert (ssl.certfile) is "riak at 127.0.0.1" which matches the nodename in the riak.conf. Riak ssl.cacertfile.pem contains the same CA (getACert) which I used to sign both client and riak public keys. It appears that riak also validated the client certificate following this SSL debug info. I do see *** CertificateVerify (toward the end) after the client certificate is requested by Riak. Please let me know if it looks right to you.

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.


More information about the riak-users mailing list