feat: Add support for legacy Common Name certificate verification

Modern Go TLS (1.15+) requires certificates to use Subject Alternative Names
(SANs) and rejects certificates that only have Common Name (CN) fields.
This causes connection failures with older Cassandra certificates.

This commit adds an AllowLegacyCN configuration option that:
- Bypasses standard TLS verification when enabled
- Manually verifies the certificate chain is signed by trusted CA
- Manually verifies the CN matches the expected hostname
- Falls back to standard SAN verification if available

Security is maintained through manual certificate chain and hostname
verification in the VerifyConnection callback. This provides the same
security guarantees as SAN-based verification.

For cqlshrc compatibility, AllowLegacyCN is automatically enabled when
validate=true is set, matching cqlsh behavior with legacy certificates.

Author: hshimizu

internal/config/config.go

@@ -47,6 +47,7 @@ type SSLConfig struct {
 	CAPath             string `json:"caPath,omitempty"`             // Path to CA certificate
 	HostVerification   bool   `json:"hostVerification,omitempty"`   // Enable hostname verification
 	InsecureSkipVerify bool   `json:"insecureSkipVerify,omitempty"` // Skip certificate verification (not recommended for production)
+	AllowLegacyCN      bool   `json:"allowLegacyCN,omitempty"`      // Allow legacy Common Name field (certificates without SANs)
 }
 
 // AIConfig holds AI provider configuration
@@ -537,7 +538,8 @@ func loadCQLSHRC(path string, config *Config) error {
 					logger.DebugfToFile("CQLSHRC", "Set InsecureSkipVerify to true and HostVerification to false")
 				} else {
 					config.SSL.HostVerification = true
-					logger.DebugfToFile("CQLSHRC", "Set HostVerification to true")
+					config.SSL.AllowLegacyCN = true // Enable legacy CN support for cqlshrc compatibility
+					logger.DebugfToFile("CQLSHRC", "Set HostVerification to true and AllowLegacyCN to true")
 				}
 			}
 		}

internal/db/db.go

@@ -561,18 +561,26 @@ func (s *Session) SetKeyspace(keyspace string) error {
 
 // createTLSConfig creates a TLS configuration based on the SSL settings
 func createTLSConfig(sslConfig *config.SSLConfig, hostname string) (*tls.Config, error) {
-	tlsConfig := &tls.Config{
-		InsecureSkipVerify: sslConfig.InsecureSkipVerify, // #nosec G402 - Configurable TLS verification
-	}
-
-	// Set ServerName for hostname verification
-	// This is critical when connecting via IP but need to verify against hostname in certificate
-	if sslConfig.HostVerification && hostname != "" {
+	// Determine server name for hostname verification
+	serverName := hostname
+	if hostname != "" {
 		// Strip port if present (hostname might be "host:port")
 		if colonIdx := strings.LastIndex(hostname, ":"); colonIdx > 0 {
-			hostname = hostname[:colonIdx]
+			serverName = hostname[:colonIdx]
 		}
-		tlsConfig.ServerName = hostname
+	}
+
+	// When AllowLegacyCN is enabled, we need to bypass standard verification
+	// and do manual verification in VerifyConnection
+	skipVerify := sslConfig.InsecureSkipVerify || (sslConfig.AllowLegacyCN && sslConfig.HostVerification)
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: skipVerify, // #nosec G402 - Configurable TLS verification
+	}
+
+	// Set ServerName for hostname verification (only when not using legacy CN verification)
+	if sslConfig.HostVerification && !sslConfig.AllowLegacyCN && serverName != "" {
+		tlsConfig.ServerName = serverName
 	}
 
 	// Load client certificate if provided
@@ -598,9 +606,56 @@ func createTLSConfig(sslConfig *config.SSLConfig, hostname string) (*tls.Config,
 		tlsConfig.RootCAs = caCertPool
 	}
 
-	// Configure hostname verification
-	if !sslConfig.HostVerification {
-		tlsConfig.InsecureSkipVerify = true
+	// Manual verification for legacy CN certificates
+	// We skip standard verification and manually check the certificate
+	if sslConfig.AllowLegacyCN && sslConfig.HostVerification {
+		tlsConfig.VerifyConnection = func(cs tls.ConnectionState) error {
+			if len(cs.PeerCertificates) == 0 {
+				return fmt.Errorf("no peer certificates")
+			}
+
+			// Build intermediates pool
+			intermediates := x509.NewCertPool()
+			for _, cert := range cs.PeerCertificates[1:] {
+				intermediates.AddCert(cert)
+			}
+
+			// First try standard verification with SANs
+			opts := x509.VerifyOptions{
+				DNSName:       serverName,
+				Intermediates: intermediates,
+			}
+			if tlsConfig.RootCAs != nil {
+				opts.Roots = tlsConfig.RootCAs
+			}
+
+			_, err := cs.PeerCertificates[0].Verify(opts)
+			if err == nil {
+				return nil // Standard verification with SANs passed
+			}
+
+			// If standard verification failed, try legacy CN verification
+			// First verify the certificate chain without hostname check
+			optsNoHostname := x509.VerifyOptions{
+				Intermediates: intermediates,
+			}
+			if tlsConfig.RootCAs != nil {
+				optsNoHostname.Roots = tlsConfig.RootCAs
+			}
+
+			_, err = cs.PeerCertificates[0].Verify(optsNoHostname)
+			if err != nil {
+				return fmt.Errorf("certificate verification failed: %v", err)
+			}
+
+			// Chain is valid, now check CN
+			cert := cs.PeerCertificates[0]
+			if cert.Subject.CommonName == serverName {
+				return nil // Legacy CN matches
+			}
+
+			return fmt.Errorf("certificate CN %q doesn't match expected hostname %q", cert.Subject.CommonName, serverName)
+		}
 	}
 
 	return tlsConfig, nil