PYTHON_1186: Connection fails to validate ssl certificate hostname when SSLContext.check_hostname is set (datastax#1059)

* Fix Connection fails to validate ssl certificate hostname when SSLContext.check_hostname is set

Author: aboudreault

CHANGELOG.rst

@@ -11,6 +11,7 @@ Features
 Bug Fixes
 ---------
 * re-raising the CQLEngineException will fail on Python 3 (PYTHON-1166)
+* Connection fails to validate ssl certificate hostname when SSLContext.check_hostname is set
 
 3.20.2
 ======

cassandra/connection.py

@@ -616,7 +616,14 @@ def factory(cls, endpoint, timeout, *args, **kwargs):
             return conn
 
     def _wrap_socket_from_context(self):
-        self._socket = self.ssl_context.wrap_socket(self._socket, **(self.ssl_options or {}))
+        ssl_options = self.ssl_options or {}
+        # PYTHON-1186: set the server_hostname only if the SSLContext has
+        # check_hostname enabled and it is not already provided by the EndPoint ssl options
+        if (self.ssl_context.check_hostname and
+                'server_hostname' not in ssl_options):
+            ssl_options = ssl_options.copy()
+            ssl_options['server_hostname'] = self.endpoint.address
+        self._socket = self.ssl_context.wrap_socket(self._socket, **ssl_options)
 
     def _initiate_connection(self, sockaddr):
         self._socket.connect(sockaddr)

docs/security.rst

@@ -69,6 +69,14 @@ To enable SSL with version 3.17.0 and higher, you will need to set :attr:`.Clust
 to a dict of options. These will be passed as kwargs to ``ssl.SSLContext.wrap_socket()``
 when new sockets are created.
 
+If you create your SSLContext using `ssl.create_default_context <https://docs.python.org/3/library/ssl.html#ssl.create_default_context>`_,
+be aware that SSLContext.check_hostname is set to True by default, so the hostname validation will be done
+by Python and not the driver. For this reason, we need to set the server_hostname at best effort, which is the
+resolved ip address. If this validation needs to be done against the FQDN, consider enabling it using the ssl_options
+as described in the following examples or implement your own :class:`~.connection.EndPoint` and
+:class:`~.connection.EndPointFactory`.
+
+
 The following examples assume you have generated your Cassandra certificate and
 keystore files with these intructions:
 

tests/integration/long/ssl/.keystore

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCzCCAfMCFHXm/9f6KJL3965bBgZMFdd4Xs0gMA0GCSqGSIb3DQEBCwUAMEIx
+CzAJBgNVBAYTAlVTMREwDwYDVQQKDAhkYXRhc3RheDEPMA0GA1UECwwGZmllbGRz
+MQ8wDQYDVQQDDAZyb290Q2EwHhcNMTkxMTI3MTk1ODA3WhcNMjAxMTI2MTk1ODA3
+WjBCMQswCQYDVQQGEwJVUzERMA8GA1UECgwIZGF0YXN0YXgxDzANBgNVBAsMBmZp
+ZWxkczEPMA0GA1UEAwwGY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA4SEvwK9IbwdVEnBEf6UbYyaGh0Ao4VGyIA2Z2yDTmSIqBgBZjbBdYr1w
+FC0nMqKgAI0NOqZHNRiuOUojweHZLwrYhVPg2e/Va+vGslQY+cKmAYDTCsxhEwv7
+4PXiI6QhGwmfhnSnA0+nzPKZU1SFFWl9Od07X8QJWJMLHDOG14OnsWI2t4wetkIw
+6yyTXfyAD9mSsQeqyu5P6E94E2VAGtQvP4yeAJX/dWPYhFEBctsQ0H+Jk2GK3kBe
+9YX9Jhk4Ono8cdUy3WfUFQRXgi01YmF1vI+Z0fS0olkdqw8mDonFpMS0ly97Lnze
+aOsTv3s/SONdYa3BslbEAwUT7kvE4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAH
+QZDTPBQgMbTCp8IJvDRbXKQAfjEE7FjYani1qWOMx5JpOJIoYHnnbLNRxCWowWRj
+zsyOa5Sqs0TVOS5/4QHqu+cSdZsUNL9TvESor+BwgSf81JViD0r//xK+j58pLqB1
+F+sPIltIqclWRN/QZH1VNZ+G0WQiXoT+YGNYRzJtXNBQAi3cxZSXLaeZ6yViWzw3
+m8IL0nUTX+uNxJSaFqZw1vTHBe0hC/l+P3YfnM1k6lg4lsWDvzdwNKfmohFlo5eV
+OSG89YncwigG1KUHfQ1ECX7aaI8+cTFEg5XWTMqwVko1pRVVL9mVF/YEwI/+ydaJ
+whmL77CEP1AvHIjdiafh
+-----END CERTIFICATE-----

tests/integration/long/ssl/127.0.0.1.keystore

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhIS/Ar0hvB1US
+cER/pRtjJoaHQCjhUbIgDZnbINOZIioGAFmNsF1ivXAULScyoqAAjQ06pkc1GK45
+SiPB4dkvCtiFU+DZ79Vr68ayVBj5wqYBgNMKzGETC/vg9eIjpCEbCZ+GdKcDT6fM
+8plTVIUVaX053TtfxAlYkwscM4bXg6exYja3jB62QjDrLJNd/IAP2ZKxB6rK7k/o
+T3gTZUAa1C8/jJ4Alf91Y9iEUQFy2xDQf4mTYYreQF71hf0mGTg6ejxx1TLdZ9QV
+BFeCLTViYXW8j5nR9LSiWR2rDyYOicWkxLSXL3sufN5o6xO/ez9I411hrcGyVsQD
+BRPuS8ThAgMBAAECggEBAN6HezgvCp4U1VZgepThkuyyzA8ssDvoEPX1+7rJ+95G
+EtvTxLF1Pxm2vu5yo2g9r4Jb6lOqwIAPYUdnrWib4Z3KTrObcYp6sq72Y3UqA3X9
+nTGnMPRfiSTWl6aJ5XntZnvfSzwQWnW/atH+iuf/h3zexNVJhMLod4SB9F1v4T1s
+HgVjDJ/4cLomtNDkB0CwhgNr6elASL/DLnWC4Fb+C7HpJtu4A4U/08DWD6kAfs5a
+zaSTywXVtxpp4NSMJUUI6KQZEfA4uLP8dLX5QMYgdwfpKXkVturTWMIUmU73IWCk
+CaDMdXNeKU7d2iJIQi3DlHrcVZm+MaQKW79N5XUo3TECgYEA/u28rQM7AAWNNEJI
+Gj/iGGFF6lE2V+o2uWySxEZeb0noWzuyUP2bKU+CbYhaS6YCAtEEkLCHSt6D4jZs
+vUxJTz3H99F4jqLbI0iZE+TKh0ff0oVDq8odmn03QylbZ3+H0xgfumjyOtQ9/CKs
+1fIA7pXXu0M2J7znYes/tUsINs8CgYEA4hNj9gk2xCrKE/onmzodWa1F4VrsrajC
+aDZmm7P+gZb/7p2JRn54K0SWSJthVNu3WnnzNFjR4lsRN7jVxscWb5Uq0ppYNjj6
+5Y3IU7F8zhib1zaasqPpvZpq2rK0AwFeQN8aZrLhWEPVii30HnLc9cQRFcHiZfWj
+/amGJzB2NU8CgYAs1Jf6gPfuMAu95e4SF6vmB60o4LFC0qBfCVXiCFHxFjkzWhMo
+pQCVSjMwmervJLlzz1gTLcgNBYaB0Hpc6750nfO9g+vEgaUx1kF9Ox3WnnAg8GiP
+HFMKaPy/5dT6JXY4TCTAPlZivBJOdbaZRR6e1mECwHYUlObH1Hv2oMRIBwKBgHzW
+UkOBMQG/0xiW8RnxTFXBra3URI9cegWLzLs7+FTc6fR8f1oy6e6SkB4F1whBz4yh
+fJ+yUCubN/W6FioOs5/oEd57pixC6KCr2ywD/TPdOOjtWR0+EAtH4qtjNK3YKpDN
+4clGC9NumdMUrxHFQahgnUKTbo34x5aB7vdi9lNXAoGBAJrYYiVUe46FDAGZUzKG
+xMuJS693kx23vC/PNaIP9wMa58aOEtTw+zLdyioiQIvxmJXTnEKWFK25z0n0gDJM
+hMar/CFrERHooWRjn+a5kyKXppJ1DHtoSho67wOjejsnikjQvmppEBFr1YjvyDhD
+kY44x2EM9WzqlrwHtBeblQWE
+-----END PRIVATE KEY-----

tests/integration/long/ssl/cassandra.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDha8+NBvpTmTbw
+D2EIodXlaaAEtLmXTGoH8pdBm3JxzMuUEkYbGig3YjQ1BAKQgCB1TJGPINcHz7Jo
+5aW5To1jrxhhohZYQLCNKlAONDhgJbHEPf7s8dreQ/q5ISt/2I3z68c9I0j3VoRz
+AxxcNktl/x+6YkXe9tXf/LWmJk/gHlu72/HuJ5oNyqOKaCCoMoib3jLTlR+lslTy
+Qy/CJZH6WJabLOPmppFLaxJMlSGDSTE/Xktt7+H5ssHnfQtyWyylVjZkzChJfBgh
+HrLpm3hO5rmqVwOhoKLKVDFMmX3aMGX2S+3KpXQ8gLnPXwfLI9J9fDg5jp7bya4k
+OXlZfB5hAgMBAAECggEBANQVFbmudfgPL4PeREHV2SM1JCspSW9SonOFxs8gDCWL
+M4HFS5YWHv40c7/pXOxMz7zsZApQMF8WBtnwLeJRSG8f/oVk9Tbk7fZyd81VTjEP
+ZdenKGAPEAeL16kzzvRCbxOtoc8gkna6PHTk2VrcbkWxKU23RduHSiOpY9HFO+Mz
+iI69tB7657NOiZCQ6xDIjKv+jR63m7VAWKT5jkN+tYpvx4K20na5t8RO1s0shqNE
+e2zMG8WXVl6lW4btfkt/lwWUNXu8olMTk9qN2b5Rq7BEJfKwn3lb9vCpUMyewtRB
+/8U+Zu7Tlwni5QagOqAUEkjuOJ8cR/Jgwu1mqV2sXxECgYEA9zXi0PjWAe2ZIALd
+1iWPZCvvT7yEjt4ulhAYPqi8T38B4K5f//m5SuYPS2ebmSAd2WBTeIX2A6mHc9lk
+53gnwvsgAqaFgjYeDqBThpCE8icFXEZnJbtnJyC8zC7pYjUovAHkFEdLw5kQoI6Y
+i9HNOS9ugSut8RnF0oSv/E2mahUCgYEA6W+ZAEneBBCsOQclVfVPLm7D+y+5SZEt
+zWr2b7CCnGCev/qRCllIEwQ2+W1ACEHof9xjE+aWwEQjX8YnoVbAJo2ru6FFQfI+
+f/SQx7beX8jUAeJGo+CFr2ijdVmcCCbMGeAm8mpACUIQfWPHVqjtGS/CayxdfwA+
+lbWPbkXCMh0CgYBfUgHRPgGW4LyoYTKUfgsaPu6ZukEKrZUc+7u9fWaO6JQaxGHz
+26CcxrSjCKIwmvend8L3t/+yTc4S14JW1jfOsPIY04irOp7AWQWb32HD1VP1zpe7
+LtWJetARkw0edwzr4XbGcu89zmlg31rmntEY+bcMS4FYc+2ZTNxm1rISOQKBgGQZ
+lct44Xpux9tghBMbMUwg9WtWKKcyWSi4EFsOnsN97zU1tlJwvKZi7UwCHC4uTQvf
+LqFPBSAHV//u0fmuYJFnuNeprTA9N63Y6uipMyxxyu/P3yjQ06LHRSjCN1WLhYQn
+Cax0AWe266lJSyaPI7TkNQOOL72RFkVOaOYJhd/FAoGAPtpVPTiVK0RYwLnZqaWB
+fxyI6w+UjOEbP88vD7N7FEI2kQSGQ6F3pMzDK37NglJVtwjgzEIF9x9BIE8XSf16
+shc0U73Vg9ZsXDNPUz21hhAwYL1cCgnx0mfL88F1Icb5FfxlT/1BPHNHKowA9vST
+ihbxCJg/JJBzwXTxPocQisk=
+-----END PRIVATE KEY-----