Connection fails to validate ssl certificate hostname when SSLContext.check_hostname is set

Description

Currently, if a programmer wants to use the python driver to initiate an SSL connection while verifying that the certificate is valid for the current host, they need to explicitly pass in the hostname in the Cluster's ssl_options parameter. This is both a violation of the Python SSL module's design principles (which intend for the server_hostname to be set at the point of socket creation), and also impractical for a Cluster which includes more than one Cassandra node (because the user can only specify one hostname, causing connections to the rest of the cluster to fail).

The linked pull request moves the logic for setting the server_hostname into the DefaultEndPoint class, which is by necessity designed to be aware of the address to which the server is connecting. This allows hostname checking to act correctly on each individual server in the pool, rather than requiring the user to specify a static host.

This change likely also necessitates unit test updates. As an initial baseline, in the pr I added a test to the SSL integration suite which verifies that we can connect using ssl.create_default_context(). This function is now the recommended way to configure SSL in python, because it automatically turns on the security features that are generally expected from an SSL connection (certificate validation which defaults to the OS trust store, hostname verification, and a sane list of allowed protocol versions and cipher suites). As a follow-up action, I would recommend updating the security documentation to recommend using this function rather than the bare SSLContext() constructor.

While writing this integration test, I noticed an irregularity in the server certificate used in the test suite which causes failures in hostname matching on python >= 3.7. During that update cycle, python added stricter hostname matching which requires that certificates list any IP addresses they are valid for in SAN fields. I recommend a second followup action of regenerating the certificate used in these tests to properly include 127.0.0.1 in a SAN record.

Environment

None

Pull Requests

None

Status

Assignee

Alan Boudreault

Reporter

Jacob Emmert-Aronson

Fix versions

Labels

None

Reproduced in

None

PM Priority

None

External issue ID

None

Doc Impact

None

Reviewer

None

Size

None

Priority

Major
Configure