geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sai Boorlagadda <>
Subject Re: Proposal to support custom
Date Tue, 07 Aug 2018 23:32:14 GMT
Based on the review I am amending the proposal as follows:

- Removing the proposed new property 'ssl-use-default-provider'
- Add an ability for GEODE to use default SSLContext

This way users can choose between whether to use default security context
or provide ssl-* parameters to configure it as per their needs. In the
earlier proposal a SecuritContext is initialized from a TrustManagerFactory
that is initialized with 'null' keystore, so it makes sense to not
configure a context and use a default one when requested.

How does using a default SSLContext can fix GEODE-5338 (CA or KEY
rotation)? When users want to use a default context, it can be either
system default or a custom provider (like one in earlier proposal).  If no
custom provider is added then default context reads CAs from JDK installed

I would like to also get consensus on defaulting GEODE's behavior to always
use default SSL context instead of introducing a new parameter
'ssl-use-default-sslcontext'. If user's have specified any existing ssl-*
props then the current implementation is exercised (ie to configure the
context as per provided properties).


On Wed, Aug 1, 2018 at 3:02 PM Sai Boorlagadda <>

> All,
> GEODE-5338[1], is a feature request to support CA & KEY rotation on the
> client application. I am proposing a solution[2] to add a new SSL property (
> *ssl-use-default-provider*) to let Geode use default security
> provider[3] (either JDK provided provider or a custom provider) to load and
> manage key and trust stores.
> I have submitted a PR[4] with the proposed change and a distributed test
> to showcase clients using a custom provider. Looking for feedback on the
> proposal and the PR as well.
> You can find details about the proposal on the wiki[3].
> [1]
> [2]
> [3]
> [4]

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message