Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for peer certificate verification #18

Merged
merged 1 commit into from
Nov 7, 2024
Merged

Add support for peer certificate verification #18

merged 1 commit into from
Nov 7, 2024

Conversation

dimakr
Copy link

@dimakr dimakr commented Nov 6, 2024

In Rust driver, when TLS encryption is enabled, there is a possibility to perform verification if the server certificate is trusted.

The change adds support of peer's certificate verification to latte.

Fixes: #15

@dimakr
Add support for peer certificate verification
de09e3e 
The change adds support of verification if the peer's certificate is trusted.

Fixes: scylladb#15
@dimakr
Copy link
Author

dimakr commented Nov 6, 2024

Some testing using a basic latte workload:

  1. 2 CAs has been created
❯ md5sum ~/Downloads/ssl_conf/ca.pem
7f37047eb33aa9be32dc9b8b5b90deaf  /home/dmitriy/Downloads/ssl_conf/ca.pem
❯ md5sum ~/Downloads/ssl_conf2/ca.pem
93104ae7e35c209282823d46edb0aaba  /home/dmitriy/Downloads/ssl_conf2/ca.pem

Certificate of a server under test has been generated and signed by CA1.
2. Run latte with encryption enabled, but with no peer verification:

❯ cargo run run -d 3s ../scylla-cluster-tests/docker/latte/workloads/workload.rn 52.51.61.135 --ssl
    Finished dev [unoptimized + debuginfo] target(s) in 0.10s
     Running `target/debug/latte run -d 3s ../scylla-cluster-tests/docker/latte/workloads/workload.rn 52.51.61.135 --ssl`
info: Loading workload script /home/dmitriy/Work/Scylla/scylla-cluster-tests/docker/latte/workloads/workload.rn...
info: Connecting to ["52.51.61.135"]... 
info: Connected to PR-provision-test-dmitriy-db-cluster-c048f7e9 running Cassandra version 3.0.8
info: Preparing...
info: Warming up...
info: Running benchmark...
CONFIG ═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
            Date            Wed, 06 Nov 2024                                                          
            Time            14:13:31 +0100                                                            
         Cluster            PR-provision-test-dmitriy-db-cluster-c048f7e9                                            
      Datacenter                                                                                      
   Cass. version            3.0.8                                                                     
        Workload            workload.rn                                                               
     Function(s)            run:1                                                                     
     Consistency            LocalQuorum                                                               
            Tags                                                                                      
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         Threads                    1                                                                 
     Connections                    1                                                                 
     Concurrency     [req]        128                                                                 
        Max rate    [op/s]                                                                            
          Warmup       [s]                                                                            
              └─      [op]          1                                                                 
        Run time       [s]        3.0                                                                 
              └─      [op]                                                                            
        Sampling       [s]        1.0                                                                 
              └─      [op]                                                                            
 Request timeout       [s]          5                                                                 
         Retries                                                                                      
  ┌──────┴number                   10                                                                 
  ├─min interval      [ms]        100                                                                 
  └─max interval      [ms]       5000                                                                 

LOG ════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
    Time    Cycles    Errors    Thrpt.     ────────────────────────────────── Latency [ms/op] ──────────────────────────────
     [s]      [op]      [op]    [op/s]             Min        50        75        90        95        99      99.9       Max
   1.002      2147         0      2144          41.189    51.544    57.803    65.733    69.665    84.607    93.651    95.093
   2.007      2492         0      2480          40.436    49.709    53.281    56.852    60.752    68.289    72.810    73.531
   3.002      2573         0      2588          41.026    47.514    50.528    53.314    55.378    60.817    69.403    71.631
   3.043       126         0      3014          41.026    49.447    51.905    52.920    53.412    53.740    53.936    53.936

SUMMARY STATS ══════════════════════════════════════════════════════════════════════════════════════════════════════════════
    Elapsed time       [s]      3.061                                                                 
    ...
  1. Run latte with encryption + peer verification enabled, and provide CA1 certificate. The check should pass as the server certificate is trusted by the CA1:
❯ cargo run run -d 3s ../scylla-cluster-tests/docker/latte/workloads/workload.rn 52.51.61.135 --ssl --ssl-peer-verification --ssl-ca ~/Downloads/ssl_conf/ca.pem
    Finished dev [unoptimized + debuginfo] target(s) in 0.10s
     Running `target/debug/latte run -d 3s ../scylla-cluster-tests/docker/latte/workloads/workload.rn 52.51.61.135 --ssl --ssl-peer-verification --ssl-ca /home/dmitriy/Downloads/ssl_conf/ca.pem`
info: Loading workload script /home/dmitriy/Work/Scylla/scylla-cluster-tests/docker/latte/workloads/workload.rn...
info: Connecting to ["52.51.61.135"]... 
info: Connected to PR-provision-test-dmitriy-db-cluster-c048f7e9 running Cassandra version 3.0.8
info: Preparing...
info: Warming up...
info: Running benchmark...
CONFIG ═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
            Date            Wed, 06 Nov 2024                                                          
            Time            14:21:56 +0100                                                            
         Cluster            PR-provision-test-dmitriy-db-cluster-c048f7e9                                            
      Datacenter                                                                                      
   Cass. version            3.0.8                                                                     
        Workload            workload.rn                                                               
     Function(s)            run:1                                                                     
     Consistency            LocalQuorum                                                               
            Tags                                                                                      
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         Threads                    1                                                                 
     Connections                    1                                                                 
     Concurrency     [req]        128                                                                 
        Max rate    [op/s]                                                                            
          Warmup       [s]                                                                            
              └─      [op]          1                                                                 
        Run time       [s]        3.0                                                                 
              └─      [op]                                                                            
        Sampling       [s]        1.0                                                                 
              └─      [op]                                                                            
 Request timeout       [s]          5                                                                 
         Retries                                                                                      
  ┌──────┴number                   10                                                                 
  ├─min interval      [ms]        100                                                                 
  └─max interval      [ms]       5000                                                                 

LOG ════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
    Time    Cycles    Errors    Thrpt.     ────────────────────────────────── Latency [ms/op] ──────────────────────────────
     [s]      [op]      [op]    [op/s]             Min        50        75        90        95        99      99.9       Max
   1.001      2464         0      2462          40.239    47.612    50.954    58.065    60.981    87.359    88.539    90.636
   2.003      2468         0      2463          40.272    48.562    52.888    58.098    62.390    70.910    73.794    74.646
   3.001      2658         0      2663          40.042    47.055    49.611    51.642    54.067    58.294    61.440    61.735
   3.043       127         0      3029          40.632    51.577    53.051    54.788    55.542    56.361    56.558    56.558

SUMMARY STATS ══════════════════════════════════════════════════════════════════════════════════════════════════════════════
    Elapsed time       [s]      3.056            
...
  1. Run latte with encryption + peer verification enabled, and provide CA2 certificate. The check should fail as the server certificate is not trusted by the provided CA:
❯ cargo run run -d 3s ../scylla-cluster-tests/docker/latte/workloads/workload.rn 52.51.61.135 --ssl --ssl-peer-verification --ssl-ca ~/Downloads/ssl_conf2/ca.pem
    Finished dev [unoptimized + debuginfo] target(s) in 0.09s
     Running `target/debug/latte run -d 3s ../scylla-cluster-tests/docker/latte/workloads/workload.rn 52.51.61.135 --ssl --ssl-peer-verification --ssl-ca /home/dmitriy/Downloads/ssl_conf2/ca.pem`
info: Loading workload script /home/dmitriy/Work/Scylla/scylla-cluster-tests/docker/latte/workloads/workload.rn...
info: Connecting to ["52.51.61.135"]... 
error: Cassandra error: Could not connect to 52.51.61.135: IO Error: No connections in the pool; last connection failed with: IO Error: Connection broken

@dimakr dimakr marked this pull request as ready for review November 6, 2024 13:53
@dimakr dimakr requested review from fruch and vponomaryov November 6, 2024 13:53
@dimakr dimakr self-assigned this Nov 6, 2024
@dimakr dimakr added the enhancement New feature or request label Nov 6, 2024
@dimakr dimakr mentioned this pull request Nov 6, 2024
Closed
vponomaryov
vponomaryov approved these changes Nov 7, 2024
View reviewed changes
Copy link
Collaborator

@vponomaryov vponomaryov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

fruch
fruch approved these changes Nov 7, 2024
View reviewed changes
Copy link
Collaborator

@fruch fruch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vponomaryov vponomaryov merged commit f09e9b8 into scylladb:main Nov 7, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vponomaryov vponomaryov vponomaryov approved these changes

@fruch fruch fruch approved these changes

Assignees

@dimakr dimakr

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

latte has no option to force hostname validation
3 participants
@dimakr @fruch @vponomaryov