ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Magda <dma...@apache.org>
Subject Re: SSL for ODBC connection
Date Mon, 20 Nov 2017 23:01:02 GMT
This configuration approach looks clearer to me. +1 for it.

—
Denis

> On Nov 20, 2017, at 12:42 AM, Igor Sapego <isapego@apache.org> wrote:
> 
> Ok, then how about the following set of options:
> 
> ssl_enabled=[true|false]
> ssl_key_file=<path_to_secret_key>
> ssl_cert_file=<path_to_certificate>
> 
> 
> Best Regards,
> Igor
> 
> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <vozerov@gridgain.com>
> wrote:
> 
>> I think it would be enough to have a single switch for now.
>> 
>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <dmagda@apache.org> wrote:
>> 
>>> Igor,
>>> 
>>> Thanks for the clarification. Please file a ticket if nobody else shares
>> a
>>> feedback soon.
>>> 
>>> —
>>> Denis
>>> 
>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <isapego@apache.org> wrote:
>>>> 
>>>> Hi Denis,
>>>> 
>>>>> Could you explain the difference between “allow, prefer and require”
>>>> modes?
>>>> allow - Client will first try connecting without SSL, and then fallback
>>> to
>>>> SSL if it is not allowed to connect without SSL;
>>>> prefer - Client will first try connecting using SSL, and then fallback
>> to
>>>> non-SSL if SSL is not supported by the server;
>>>> disable - Client will only connect using SSL and return error if failed
>>> to
>>>> successfully do so.
>>>> 
>>>>> BTW, do we really need to have the “disable” one? Guess that having
>>>> ssl_mode set to “disable” will have the same effect as not setting the
>>>> ssl_mode at all.
>>>> This is the matter of the default value of the ssl_mode option. The way
>>> you
>>>> propose it means that you still has "disable" option, it is just is not
>>>> explicit.
>>>> 
>>>> Best Regards,
>>>> Igor
>>>> 
>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dmagda@apache.org>
>> wrote:
>>>> 
>>>>> Hi Igor,
>>>>> 
>>>>> Could you explain the difference between “allow, prefer and require”
>>> modes?
>>>>> 
>>>>> BTW, do we really need to have the “disable” one? Guess that having
>>>>> ssl_mode set to “disable” will have the same effect as not setting
the
>>>>> ssl_mode at all.
>>>>> 
>>>>> —
>>>>> Denis
>>>>> 
>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isapego@apache.org>
wrote:
>>>>>> 
>>>>>> Hi, Igniters,
>>>>>> 
>>>>>> I'm going to start working on the SSL support for the ODBC
>>>>>> connection and I need to hear your opinion.
>>>>>> 
>>>>>> For the client side I'm going to use OpenSSL library [1], which is
>>>>>> standard de-facto for C/C++ applications. Unfortunately its
>>>>>> licence is not fully compatible with Apache Licence, so its going
>>>>>> to require from users to install OpenSSL themselves.
>>>>>> 
>>>>>> For the driver I'm going to add following options to connection
>>>>>> string:
>>>>>> ssl_mode - Determines whether or with what priority a SSL
>>>>>>  connection will be negotiated with the server. Options
>>>>>>  here are disable, allow, prefer, require.
>>>>>> ssl_key_file - Path to the location for the secret key used for the
>>>>>>  client certificate.
>>>>>> ssl_cert_file - Path to the file of the client SSL certificate.
>>>>>> 
>>>>>> If the ssl_mode is not set to "disable" then ODBC driver will
>>>>>> attempt to find and load OpenSSL library before establishing
>>>>>> connection.
>>>>>> 
>>>>>> For the server side there is already SslContextFactory in the
>>>>>> IgniteConfiguration, which is used by all components to determine
>>>>>> if the SSL enabled and to figure out connection parameters, so
>>>>>> I think it's a good idea to just re-use it for the
>>>>> ClientListenerProcessorю
>>>>>> 
>>>>>> What do you guys think?
>>>>>> 
>>>>>> [1] - https://www.openssl.org
>>>>>> 
>>>>>> Best Regards,
>>>>>> Igor
>>>>> 
>>>>> 
>>> 
>>> 
>> 


Mime
View raw message