I've generated a self-signed cert using this scylla tutorial. Started a scylladb node, everything's fine and dandy.
Now it's time to connect clients. Here's the script:
from cassandra.cluster import Cluster
ssl_options = dict(
ca_certs='db.crt',
cert_reqs=False,
ssl_version=None,
keyfile=None,
certfile=None
)
cluster = Cluster(
['<my_ip>'], port=9142,
ssl_options=ssl_options
)
cluster.connect()
The db.crt file is the PEM format certificate for the private key signed by the CA.
On Ubuntu 22.04 it works as expected. On windows 10 I get:
Traceback (most recent call last):
File "C:\Users\...", line 27, in <module>
cluster.connect()
File "cassandra\cluster.py", line 1734, in cassandra.cluster.Cluster.connect
File "cassandra\cluster.py", line 1770, in cassandra.cluster.Cluster.connect
File "cassandra\cluster.py", line 1757, in cassandra.cluster.Cluster.connect
File "cassandra\cluster.py", line 3573, in cassandra.cluster.ControlConnection.connect
File "cassandra\cluster.py", line 3618, in cassandra.cluster.ControlConnection._reconnect_internal
cassandra.cluster.NoHostAvailable: ('Unable to connect to any servers', {'<my_ip>': OSError(None, "Tried connecting to [('<my_ip>', 9142)]. Last error: timed out")})
I thought that this is a connectivity problem, but once I get rid of ssl_options, it connects to the server successfully, but treats the incoming bytes wrongly, ending up with such error:
cassandra.cluster.NoHostAvailable: ('Unable to connect to any servers', {'<my_ip>': ProtocolError('This version of the driver does not support protocol version 21')})
So I'm able to reach the server. It seems like windows is treating the certificate the wrong way or something. What can it be?
P.S. There is also a deprecation warning: DeprecationWarning: Using ssl_options without ssl_context is deprecated and will result in an error in the next major release. Please use ssl_context to prepare for that release..
I've looked at the cqlshlib implementation, and it seems like it's still using the "deprecated" method of handling the ssl.
How can one use SSLContext instead?
