geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Charlie Black <cbl...@pivotal.io>
Subject Re: Odg: Odg: Proposal of new config property "ssl-server-name-extension"
Date Tue, 19 Nov 2019 22:27:48 GMT
Sorry - I had sent the e-mail to Mario directly.   Also thanks for hanging
in there with me through this.

The ClientHello message is what is throwing me.    As long as the SNI
behaves like the extension to the standard I am fine.    Meaning if "openssl
s_client -connect server:port -servername servername.com" returns the right
stuff we are fine.

Note: I might not have all the options right in the openssl command, but
-servername enables SNI.

With that in mind I am + 1 on this.

Charlie

On Tue, Nov 19, 2019 at 12:00 PM Mario Ivanac <mario.ivanac@est.tech> wrote:

> Hi,
>
> as described before:
>
> This property will contain generic string, which will be added as Server
> Name Indication (SNI) parameter to ClientHello message.
> ClientHello message is part of SSL handshake.
>
> Mario
> ------------------------------
> *Šalje:* Charlie Black <cblack@pivotal.io>
> *Poslano:* 19. studenog 2019. 18:20
> *Prima:* Mario Ivanac <mario.ivanac@est.tech>
> *Kopija:* dev@geode.apache.org <dev@geode.apache.org>
> *Predmet:* Re: Odg: Proposal of new config property
> "ssl-server-name-extension"
>
> The SSL handshake is done *before* the Geode handshake.    So additions
> to the Geode handshake protocol will not affect SSL connections since the
> secure socket connection has already been negotiated and the Geode
> handshake is encrypted.
>
> Charlie
>
> On Tue, Nov 19, 2019 at 9:06 AM Mario Ivanac <mario.ivanac@est.tech>
> wrote:
>
> Hi all,
>
> this proposal and ticket are result of mail discussion "Special
> certificates for multisite":
>
>
> https://lists.apache.org/thread.html/2418dd1b5f9ae812daa48a51a8d2eb252a3c861a890264f47da3a4d3@%3Cdev.geode.apache.org%3E
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apache.org_thread.html_2418dd1b5f9ae812daa48a51a8d2eb252a3c861a890264f47da3a4d3-40-253Cdev.geode.apache.org-253E&d=DwMF-g&c=lnl9vOaLMzsy2niBC8-h_K-7QJuNJEsFrzdndhuJ3Sw&r=TeO8Y4MHxN-HWthX0kIhmTbHjxbnon-82BZ-g9Q6TDI&m=GG4kW5SuTjSCV707Igt5WbMQyay_8vOtB9nH8cLBgAM&s=PjLj2CJYNHbQUiMKrd-FKMqwbuxVERJifxQWpM4HM8k&e=>
>
>
> BR,
> Mario
> ------------------------------
> *Šalje:* Charlie Black <cblack@pivotal.io>
> *Poslano:* 19. studenog 2019. 17:24
> *Prima:* dev@geode.apache.org <dev@geode.apache.org>
> *Predmet:* Re: Proposal of new config property "ssl-server-name-extension"
>
> I have read the e-mail and the ticket I am not sure how this field is going
> to be used.   Maybe you can expand on the intent of this field.
>
> From the property "ssl-server-name-extension" it feels like we are
> intending to correlate with something presented in the SSL certificate.
> It would be great if that was explained plainly for the reader in more
> detail.
>
> For now I can only -1.
>
> Charlie
>
> On Tue, Nov 19, 2019 at 3:27 AM Mario Ivanac <mario.ivanac@est.tech>
> wrote:
>
> > Hi geode dev,
> >
> > as a part of solution for
> https://issues.apache.org/jira/browse/GEODE-7414
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_GEODE-2D7414&d=DwMF-g&c=lnl9vOaLMzsy2niBC8-h_K-7QJuNJEsFrzdndhuJ3Sw&r=TeO8Y4MHxN-HWthX0kIhmTbHjxbnon-82BZ-g9Q6TDI&m=GG4kW5SuTjSCV707Igt5WbMQyay_8vOtB9nH8cLBgAM&s=4h7HHiRlRX_Cw8mVGuVfzHgfUbKul07BjaV1CVE3_H8&e=>
> > we would like to introduce new config property
> "ssl-server-name-extension".
> >
> > This property will contain generic string, which will be added as Server
> > Name Indication (SNI) parameter to Client Hello message.
> >
> > Do you agree with this proposal?
> >
> > Thanks,
> > Mario
> >
>
>
> --
> Charlie Black | cblack@pivotal.io
>
>
>
> --
> Charlie Black | cblack@pivotal.io
>


-- 
Charlie Black | cblack@pivotal.io

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message