geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sai Boorlagadda <sai.boorlaga...@gmail.com>
Subject Re: Proposal of new config property "ssl-server-name-extension"
Date Sun, 24 Nov 2019 16:33:32 GMT
Hello Mario,

I would like to see if having a custom security provider allows you to
configure the default SSL context to set the SNI?

>From your proposal, I see that you have implemented a Java Security
Provider to provide custom KeyManager implementation which distinguishes
certificate based on which the wan-site the peer client is connecting to.
How are you configuring this security provider? I am assuming you have some
bootstrapping code that inserts your security provider before launching
Geode, and also set gemfire property `ssl-use-default-context` to true to
let Geode use the default SSL context. Can this bootstrapping code create
and configure an SSL context with SNI and set it as default context before
launching geode?

This may appear as a workaround but the rationale behind
`ssl-use-default-context` is to delegate the external environment to
configure the SSL context in a required manner and let Geode just use it.

Sai

On Tue, Nov 19, 2019 at 3:27 AM Mario Ivanac <mario.ivanac@est.tech> wrote:

> Hi geode dev,
>
> as a part of solution for https://issues.apache.org/jira/browse/GEODE-7414
> we would like to introduce new config property "ssl-server-name-extension".
>
> This property will contain generic string, which will be added as Server
> Name Indication (SNI) parameter to Client Hello message.
>
> Do you agree with this proposal?
>
> Thanks,
> Mario
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message