From dev-return-32573-archive-asf-public=cust-asf.ponee.io@geode.apache.org Sun Nov 24 16:33:48 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id E35B0180643 for ; Sun, 24 Nov 2019 17:33:47 +0100 (CET) Received: (qmail 77676 invoked by uid 500); 24 Nov 2019 16:33:46 -0000 Mailing-List: contact dev-help@geode.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@geode.apache.org Delivered-To: mailing list dev@geode.apache.org Received: (qmail 77664 invoked by uid 99); 24 Nov 2019 16:33:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 24 Nov 2019 16:33:46 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id D71761A3205 for ; Sun, 24 Nov 2019 16:33:45 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.019 X-Spam-Level: X-Spam-Status: No, score=-0.019 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.019, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id xoooqLzPqdpi for ; Sun, 24 Nov 2019 16:33:44 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.222.42; helo=mail-ua1-f42.google.com; envelope-from=sai.boorlagadda@gmail.com; receiver= Received: from mail-ua1-f42.google.com (mail-ua1-f42.google.com [209.85.222.42]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id 8B6D2BC53B for ; Sun, 24 Nov 2019 16:33:44 +0000 (UTC) Received: by mail-ua1-f42.google.com with SMTP id u99so3639048uau.5 for ; Sun, 24 Nov 2019 08:33:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=RsXPW+Awo6rq1cM5NS8wtbSScyavxqKNj1o4pktqgvw=; b=qjx19TjdNb/0sDxhyT0xAJWkM6HQCtyv06mQGIC/wNeWJsqhiVAsMhRCrVLjT+bct3 FepPkTLrINRjTCWG+1jY/8ek/ZzngdqK7zZ7vdF0KO8sF6tRJdUeUuGfVi0ucDcKVzGq aIBLV/dyl2Z0iLc5WzbAm0lAp7U0DcrPwJ2hVzfMhcTZGCZgkVO2akIHJek/s86VB8IA Ys3w6ERk9lv//CyIkoEfMWWl2Xsh1JEd9wIBO7iDxOOwJWJIYIHaiNOTYwWEUt/Ntxem zM0USgDWV2KmqnvFf9KetAr0XVYh5HP0FzA4yViMsCdQ1SLlzV1JMQ+57PyYh4n9AhFk RxIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=RsXPW+Awo6rq1cM5NS8wtbSScyavxqKNj1o4pktqgvw=; b=Pe87fmqdsyi6YhWv9MPLWc1yXSwuy5T0LcefIzo6Y3YSb2Ucmg3cB45AimPd3qHloI H/TE2tXMdDuz4XjDqGWcFSzOTTU4AybfQl7febjBwzFUz5cLAntDigK5+3cLKAPWIYE5 Dkiba/cthfk3SsEUBAetBqMe7NMHI7PSPXlXIjHAcFElpzU4Hiesys/UBSPol96Rgm2z nrSep/bzCx8FPYbfwdUVW0dhctTI3W0Jc2ZCGYFRlK9l0oQ6JeIJBCpknObvaH2zYAS7 ss3kEGeTGSPqRe9kmqdPL9tR0b2RdSOAdGT8qM1Vu9SXxZiV+QJViI6wSCjMEhHmzUx4 WtZA== X-Gm-Message-State: APjAAAX3ejcTnZMlomlUYzXyOVw1Dvld4AZ07hhNVx7nYpS+G7qw3461 6I6mxKCTZjCWQq0itNyo9t/ElS2kbamojwVhqWeryi3pwJ4= X-Google-Smtp-Source: APXvYqwnwgIT6R1T+O0H5+Mdvw063+DHPr7nq2vTZppXzRZMrCcn1RVWe0b7Ye2LhEfDYdl++0KhNhT2qw0rDQ/Z7tE= X-Received: by 2002:a9f:3092:: with SMTP id j18mr15492546uab.13.1574613223637; Sun, 24 Nov 2019 08:33:43 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Sai Boorlagadda Date: Sun, 24 Nov 2019 08:33:32 -0800 Message-ID: Subject: Re: Proposal of new config property "ssl-server-name-extension" To: dev@geode.apache.org Content-Type: multipart/alternative; boundary="000000000000da860a05981a35c8" --000000000000da860a05981a35c8 Content-Type: text/plain; charset="UTF-8" Hello Mario, I would like to see if having a custom security provider allows you to configure the default SSL context to set the SNI? From your proposal, I see that you have implemented a Java Security Provider to provide custom KeyManager implementation which distinguishes certificate based on which the wan-site the peer client is connecting to. How are you configuring this security provider? I am assuming you have some bootstrapping code that inserts your security provider before launching Geode, and also set gemfire property `ssl-use-default-context` to true to let Geode use the default SSL context. Can this bootstrapping code create and configure an SSL context with SNI and set it as default context before launching geode? This may appear as a workaround but the rationale behind `ssl-use-default-context` is to delegate the external environment to configure the SSL context in a required manner and let Geode just use it. Sai On Tue, Nov 19, 2019 at 3:27 AM Mario Ivanac wrote: > Hi geode dev, > > as a part of solution for https://issues.apache.org/jira/browse/GEODE-7414 > we would like to introduce new config property "ssl-server-name-extension". > > This property will contain generic string, which will be added as Server > Name Indication (SNI) parameter to Client Hello message. > > Do you agree with this proposal? > > Thanks, > Mario > --000000000000da860a05981a35c8--