mTLS two way auth db - Kong

Hello everyone,

I’m trying to connect my db (cassandra) with Kong using two way auth server auth and client auth. Currently I’m using kong 2.4.0 and Cassandra 3.11.11 in docker.
I can see there are setting for Api requests for tls communication (ssl_cert and ssl_cert_key), also a plugin mTLS for enterprise edition, but when it comes to cassandra I can’t see a setting to make kong send its cert to the server (cassandra).

I also struggle to see how kong defines its handshake, can’t really work on the lua.

It’s not supported by kong currently or by the openresty /lua libs behind? I sould configure something on a nginx custom config?

I think kong just send me a generic error for handshake:
/usr/local/share/lua/5.1/kong/cmd/start.lua:33: [Cassandra error] all hosts tried for query failed. 172.18.0.3: SSL handshake: sslv3 alert bad certificate

I can see by cassandra logs (enabling java logs in handshake) :

*ServerHelloDone.java:97|Produced ServerHelloDone handshake message (*
*<empty>*
*)*
*javax.net.ssl|FINE|55|epollEventLoopGroup-2-2|CertificateMessage.java:372|Consuming client Certificate handshake message (*
*"Certificates": <empty list>*
*)*
*javax.net.ssl|SEVERE|55|epollEventLoopGroup-2-2|TransportContext.java:316|Fatal (BAD_CERTIFICATE): Empty server certificate chain (*

Thanks for any help or advice.

Have you checked Configuration Reference for Kong Gateway - v2.7.x | Kong Docs? Official doc has a few settings you can use to communicate with Cassandra.

Please note Cassandra is deprecated. I would suggest you to use postgres (if possible) instead.

Thanks for the replay @fomm !

I can see from newer docs (kong 2.6.x and 2.7.x ) there are pg_ssl_cert and pg_ssl_cert_key. I did not quite understood if they are enterprise or oss features, because I can’t notice them in the kong.default
( kong/kong.conf.default at 2.7.0 · Kong/kong · GitHub ).

I was looking for something similar with cassandra, I would say they didn’t work on some cassandra_ssl_cert and cassandra_ssl_cert_key for mutual auth, since kong will not support cassandra anymore.

So the best advice should be to migrate to postgres and to a newer kong version?

I don’t know if there would be some workaround to this issue.

I knew these two setting for using mutual TLS with postgres so I assumed there are similar ones for setting Cassandra. (I was wrong…)

pg_ssl_cert and pg_ssl_cert_key are for both OSS and Enterprise versions. If you don’t see Enterprise badge, it means the parameter works for both versions.

I would suggest you to migrate to postures as Cassandra is deprecated.

1 Like