From 60aea9311069cff4a1a3da083cea8e4656a1475c Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 10 Jun 2021 20:59:20 -0400 Subject: [PATCH] plugins/cassandra: add tls_server_name (#11820) (#11829) * plugins/cassandra: add tls_server_name (#11820) * db/cassandra: add tls_server_name * Remove changes from deprecated engine * db/cassandra: Adding changelog and documentation (#11822) * db/cassandra: add tls_server_name * Remove changes from deprecated engine * Add changelog and doc --- changelog/11820.txt | 3 +++ plugins/database/cassandra/connection_producer.go | 9 +++++++-- website/content/api-docs/secret/databases/cassandra.mdx | 3 +++ 3 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 changelog/11820.txt diff --git a/changelog/11820.txt b/changelog/11820.txt new file mode 100644 index 0000000000000..a0d2c0e82d9e7 --- /dev/null +++ b/changelog/11820.txt @@ -0,0 +1,3 @@ +```release-note:improvement +db/cassandra: Added tls_server_name to specify server name for TLS validation +``` \ No newline at end of file diff --git a/plugins/database/cassandra/connection_producer.go b/plugins/database/cassandra/connection_producer.go index 4e24ff1d36fca..1544e18778f00 100644 --- a/plugins/database/cassandra/connection_producer.go +++ b/plugins/database/cassandra/connection_producer.go @@ -27,6 +27,7 @@ type cassandraConnectionProducer struct { Password string `json:"password" structs:"password" mapstructure:"password"` TLS bool `json:"tls" structs:"tls" mapstructure:"tls"` InsecureTLS bool `json:"insecure_tls" structs:"insecure_tls" mapstructure:"insecure_tls"` + TLSServerName string `json:"tls_server_name" structs:"tls_server_name" mapstructure:"tls_server_name"` ProtocolVersion int `json:"protocol_version" structs:"protocol_version" mapstructure:"protocol_version"` ConnectTimeoutRaw interface{} `json:"connect_timeout" structs:"connect_timeout" mapstructure:"connect_timeout"` SocketKeepAliveRaw interface{} `json:"socket_keep_alive" structs:"socket_keep_alive" mapstructure:"socket_keep_alive"` @@ -184,7 +185,7 @@ func (c *cassandraConnectionProducer) createSession(ctx context.Context) (*gocql clusterConfig.SocketKeepalive = c.socketKeepAlive if c.TLS { - sslOpts, err := getSslOpts(c.certBundle, c.TLSMinVersion, c.InsecureTLS) + sslOpts, err := getSslOpts(c.certBundle, c.TLSMinVersion, c.TLSServerName, c.InsecureTLS) if err != nil { return nil, err } @@ -230,7 +231,7 @@ func (c *cassandraConnectionProducer) createSession(ctx context.Context) (*gocql return session, nil } -func getSslOpts(certBundle *certutil.CertBundle, minTLSVersion string, insecureSkipVerify bool) (*gocql.SslOptions, error) { +func getSslOpts(certBundle *certutil.CertBundle, minTLSVersion, serverName string, insecureSkipVerify bool) (*gocql.SslOptions, error) { tlsConfig := &tls.Config{} if certBundle != nil { if certBundle.Certificate == "" && certBundle.PrivateKey != "" { @@ -253,6 +254,10 @@ func getSslOpts(certBundle *certutil.CertBundle, minTLSVersion string, insecureS tlsConfig.InsecureSkipVerify = insecureSkipVerify + if serverName != "" { + tlsConfig.ServerName = serverName + } + if minTLSVersion != "" { var ok bool tlsConfig.MinVersion, ok = tlsutil.TLSLookup[minTLSVersion] diff --git a/website/content/api-docs/secret/databases/cassandra.mdx b/website/content/api-docs/secret/databases/cassandra.mdx index 5059901235e0d..d4e73a7958452 100644 --- a/website/content/api-docs/secret/databases/cassandra.mdx +++ b/website/content/api-docs/secret/databases/cassandra.mdx @@ -43,6 +43,9 @@ has a number of parameters to further configure a connection. - `insecure_tls` `(bool: false)` – Specifies whether to skip verification of the server certificate when using TLS. +- `tls_server_name` `(string: "")` – Specifies the name to use as the SNI host when + connecting to the Cassandra server via TLS. + - `pem_bundle` `(string: "")` – Specifies concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.