plugins/cassandra: add tls_server_name (#11820) (#11829)

* plugins/cassandra: add tls_server_name (#11820) * db/cassandra: add tls_server_name * Remove changes from deprecated engine * db/cassandra: Adding changelog and documentation (#11822) * db/cassandra: add tls_server_name * Remove changes from deprecated engine * Add changelog and doc
hashicorp · Jun 11, 2021 · 60aea93 · 60aea93
1 parent a5ebeca
commit 60aea93
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/changelog/11820.txt b/changelog/11820.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+db/cassandra: Added tls_server_name to specify server name for TLS validation
+```
diff --git a/plugins/database/cassandra/connection_producer.go b/plugins/database/cassandra/connection_producer.go
@@ -27,6 +27,7 @@ type cassandraConnectionProducer struct {
 	Password           string      `json:"password" structs:"password" mapstructure:"password"`
 	TLS                bool        `json:"tls" structs:"tls" mapstructure:"tls"`
 	InsecureTLS        bool        `json:"insecure_tls" structs:"insecure_tls" mapstructure:"insecure_tls"`
+	TLSServerName      string      `json:"tls_server_name" structs:"tls_server_name" mapstructure:"tls_server_name"`
 	ProtocolVersion    int         `json:"protocol_version" structs:"protocol_version" mapstructure:"protocol_version"`
 	ConnectTimeoutRaw  interface{} `json:"connect_timeout" structs:"connect_timeout" mapstructure:"connect_timeout"`
 	SocketKeepAliveRaw interface{} `json:"socket_keep_alive" structs:"socket_keep_alive" mapstructure:"socket_keep_alive"`
@@ -184,7 +185,7 @@ func (c *cassandraConnectionProducer) createSession(ctx context.Context) (*gocql
 	clusterConfig.SocketKeepalive = c.socketKeepAlive
 
 	if c.TLS {
-		sslOpts, err := getSslOpts(c.certBundle, c.TLSMinVersion, c.InsecureTLS)
+		sslOpts, err := getSslOpts(c.certBundle, c.TLSMinVersion, c.TLSServerName, c.InsecureTLS)
 		if err != nil {
 			return nil, err
 		}
@@ -230,7 +231,7 @@ func (c *cassandraConnectionProducer) createSession(ctx context.Context) (*gocql
 	return session, nil
 }
 
-func getSslOpts(certBundle *certutil.CertBundle, minTLSVersion string, insecureSkipVerify bool) (*gocql.SslOptions, error) {
+func getSslOpts(certBundle *certutil.CertBundle, minTLSVersion, serverName string, insecureSkipVerify bool) (*gocql.SslOptions, error) {
 	tlsConfig := &tls.Config{}
 	if certBundle != nil {
 		if certBundle.Certificate == "" && certBundle.PrivateKey != "" {
@@ -253,6 +254,10 @@ func getSslOpts(certBundle *certutil.CertBundle, minTLSVersion string, insecureS
 
 	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 
+	if serverName != "" {
+		tlsConfig.ServerName = serverName
+	}
+
 	if minTLSVersion != "" {
 		var ok bool
 		tlsConfig.MinVersion, ok = tlsutil.TLSLookup[minTLSVersion]

diff --git a/website/content/api-docs/secret/databases/cassandra.mdx b/website/content/api-docs/secret/databases/cassandra.mdx
@@ -43,6 +43,9 @@ has a number of parameters to further configure a connection.
 - `insecure_tls` `(bool: false)` – Specifies whether to skip verification of the
   server certificate when using TLS.
 
+- `tls_server_name` `(string: "")` – Specifies the name to use as the SNI host when 
+  connecting to the Cassandra server via TLS.
+
 - `pem_bundle` `(string: "")` – Specifies concatenated PEM blocks containing a
   certificate and private key; a certificate, private key, and issuing CA
   certificate; or just a CA certificate.