Enable hostname verification for SSL connections to Cassandra

wilkinsona · wilkinsona · commit e22083a5684c · 2026-04-23T08:48:54.000+01:00
Closes gh-50171
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/cassandra/CassandraAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/cassandra/CassandraAutoConfiguration.java
@@ -115,7 +115,7 @@ public CqlSessionBuilder cassandraSessionBuilder(DriverConfigLoader driverConfig
 			ObjectProvider<CqlSessionBuilderCustomizer> builderCustomizers) {
 		CqlSessionBuilder builder = CqlSession.builder().withConfigLoader(driverConfigLoader);
 		configureAuthentication(builder, connectionDetails);
-		configureSsl(builder, connectionDetails);
+		configureSsl(builder, connectionDetails, this.properties.getSsl().isVerifyHostname());
 		builder.withKeyspace(this.properties.getKeyspaceName());
 		builderCustomizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
 		return builder;
@@ -128,15 +128,16 @@ private void configureAuthentication(CqlSessionBuilder builder, CassandraConnect
 		}
 	}
 
-	private void configureSsl(CqlSessionBuilder builder, CassandraConnectionDetails connectionDetails) {
+	private void configureSsl(CqlSessionBuilder builder, CassandraConnectionDetails connectionDetails,
+			boolean verifyHostname) {
 		SslBundle sslBundle = connectionDetails.getSslBundle();
 		if (sslBundle == null) {
 			return;
 		}
 		SslOptions options = sslBundle.getOptions();
 		Assert.state(options.getEnabledProtocols() == null, "SSL protocol options cannot be specified with Cassandra");
-		builder
-			.withSslEngineFactory(new ProgrammaticSslEngineFactory(sslBundle.createSslContext(), options.getCiphers()));
+		builder.withSslEngineFactory(
+				new ProgrammaticSslEngineFactory(sslBundle.createSslContext(), options.getCiphers(), verifyHostname));
 	}
 
 	@Bean(destroyMethod = "")
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/cassandra/CassandraProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/cassandra/CassandraProperties.java
@@ -225,6 +225,11 @@ public static class Ssl {
 		 */
 		private Boolean enabled;
 
+		/**
+		 * Whether to perform hostname verification.
+		 */
+		private boolean verifyHostname = true;
+
 		/**
 		 * SSL bundle name.
 		 */
@@ -246,6 +251,14 @@ public void setBundle(String bundle) {
 			this.bundle = bundle;
 		}
 
+		public boolean isVerifyHostname() {
+			return this.verifyHostname;
+		}
+
+		public void setVerifyHostname(boolean verifyHostname) {
+			this.verifyHostname = verifyHostname;
+		}
+
 	}
 
 	public static class Connection {
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/cassandra/CassandraAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/cassandra/CassandraAutoConfigurationTests.java
@@ -86,9 +86,23 @@ void cqlSessionBuilderWithSslEnabled() {
 		this.contextRunner.withPropertyValues("spring.cassandra.ssl.enabled=true").run((context) -> {
 			CqlSessionBuilder builder = context.getBean(CqlSessionBuilder.class);
 			assertThat(builder).hasFieldOrPropertyWithValue("programmaticSslFactory", true);
+			assertThat(builder).extracting("programmaticArgumentsBuilder.sslEngineFactory")
+				.hasFieldOrPropertyWithValue("requireHostnameValidation", true);
 		});
 	}
 
+	@Test
+	void cqlSessionBuilderWithSslEnabledAndVerifyHostnameDisabled() {
+		this.contextRunner
+			.withPropertyValues("spring.cassandra.ssl.enabled=true", "spring.cassandra.ssl.verify-hostname=false")
+			.run((context) -> {
+				CqlSessionBuilder builder = context.getBean(CqlSessionBuilder.class);
+				assertThat(builder).hasFieldOrPropertyWithValue("programmaticSslFactory", true);
+				assertThat(builder).extracting("programmaticArgumentsBuilder.sslEngineFactory")
+					.hasFieldOrPropertyWithValue("requireHostnameValidation", false);
+			});
+	}
+
 	@Test
 	@WithPackageResources("test.jks")
 	void cqlSessionBuilderWithSslBundle() {
@@ -100,6 +114,24 @@ void cqlSessionBuilderWithSslBundle() {
 			.run((context) -> {
 				CqlSessionBuilder builder = context.getBean(CqlSessionBuilder.class);
 				assertThat(builder).hasFieldOrPropertyWithValue("programmaticSslFactory", true);
+				assertThat(builder).extracting("programmaticArgumentsBuilder.sslEngineFactory")
+					.hasFieldOrPropertyWithValue("requireHostnameValidation", true);
+			});
+	}
+
+	@Test
+	@WithPackageResources("test.jks")
+	void cqlSessionBuilderWithSslBundleAndVerifyHostnameDisabled() {
+		this.contextRunner
+			.withPropertyValues("spring.cassandra.ssl.bundle=test-bundle", "spring.cassandra.ssl.verify-hostname=false",
+					"spring.ssl.bundle.jks.test-bundle.keystore.location=classpath:test.jks",
+					"spring.ssl.bundle.jks.test-bundle.keystore.password=secret",
+					"spring.ssl.bundle.jks.test-bundle.key.password=password")
+			.run((context) -> {
+				CqlSessionBuilder builder = context.getBean(CqlSessionBuilder.class);
+				assertThat(builder).hasFieldOrPropertyWithValue("programmaticSslFactory", true);
+				assertThat(builder).extracting("programmaticArgumentsBuilder.sslEngineFactory")
+					.hasFieldOrPropertyWithValue("requireHostnameValidation", false);
 			});
 	}
 
