db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John H. Embretsen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-2356) Make SSL server authentication optional
Date Thu, 22 Feb 2007 12:14:06 GMT

    [ https://issues.apache.org/jira/browse/DERBY-2356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12474990
] 

John H. Embretsen commented on DERBY-2356:
------------------------------------------

A few comments after my first take at trying out the (v1) patch:

(I have only tried ssl=basic so far...)

1) No server commands (e.g. shutdown, ping, runtimeinfo) worked after the server was started
with SSL on (basic) . The message I'm getting is:

    Invalid reply header from network server: Invalid string .

2) Using -Dderby.drda.sslMode=basic (and ssl=basic in the client URL) seemed to work fine,
although I did not actually inspect the network traffic to verify encryption.

3) Using ssl=basic as an option to the NetworkServerControl start command did not work:

    Command line: java <properties> -jar derbyrun.jar server start ssl=basic
    Result: Invalid number of arguments for command start.

    Command line: java <properties> -jar derbyrun.jar server start -ssl=basic
    Result: Argument -ssl=basic is unknown.

  I tried both with and without the -unsecure option/plain-text authentication.

4) The funcSpec says:

     SSL at the server side is activated with the property
    derby.drda.sslMode (default off) or the -ssl option for the server
    command.

   By "the server command", do you mean the start command of the server? This should perhaps
be clarified in the funcSpec?

5) The funcSpec also says:

    The property may have three values: "off", "basic" and
    "peerAuthentication"

   However, the example in section 2.3 is using ssl=authenticate. Also, comments in the patch
seem to indicate that "false", "true" and "auth" are also valid property values. What is (or
should be) the correct set of valid values?

6) I verified that connection attempts against a server started with SSL off, but with ssl=basic
in the client URL, resulted in an informative error message on the client side.



> Make SSL server authentication optional
> ---------------------------------------
>
>                 Key: DERBY-2356
>                 URL: https://issues.apache.org/jira/browse/DERBY-2356
>             Project: Derby
>          Issue Type: Improvement
>          Components: Network Client, Network Server
>    Affects Versions: 10.3.0.0
>            Reporter: Bernt M. Johnsen
>         Assigned To: Bernt M. Johnsen
>             Fix For: 10.3.0.0
>
>         Attachments: derby-2356-v1.diff, derby-2356-v1.stat, SSLFuncSpect.txt
>
>
> Default SSL behaviour is to require serer authentication. For a database application
this is not as important as it is for web browsers and also creates som extra hassle for the
user/application programmer. Since the main objective for SSL in Derby is encryption on the
wire, server authentication should be optional (the same way client authentication is).
> This also creates some symmetry which can be exploited to simplify the user interfce
somewhat. This improvement to DERBY-2108 is described in the attached functional specification.
See the attachment for details.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message