ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Magda <dma...@apache.org>
Subject Re: SSL for ODBC connection
Date Tue, 07 Nov 2017 19:04:18 GMT
Igor,

Thanks for the clarification. Please file a ticket if nobody else shares a feedback soon.

—
Denis

> On Nov 7, 2017, at 1:23 AM, Igor Sapego <isapego@apache.org> wrote:
> 
> Hi Denis,
> 
>> Could you explain the difference between “allow, prefer and require”
> modes?
> allow - Client will first try connecting without SSL, and then fallback to
> SSL if it is not allowed to connect without SSL;
> prefer - Client will first try connecting using SSL, and then fallback to
> non-SSL if SSL is not supported by the server;
> disable - Client will only connect using SSL and return error if failed to
> successfully do so.
> 
>> BTW, do we really need to have the “disable” one? Guess that having
> ssl_mode set to “disable” will have the same effect as not setting the
> ssl_mode at all.
> This is the matter of the default value of the ssl_mode option. The way you
> propose it means that you still has "disable" option, it is just is not
> explicit.
> 
> Best Regards,
> Igor
> 
> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dmagda@apache.org> wrote:
> 
>> Hi Igor,
>> 
>> Could you explain the difference between “allow, prefer and require” modes?
>> 
>> BTW, do we really need to have the “disable” one? Guess that having
>> ssl_mode set to “disable” will have the same effect as not setting the
>> ssl_mode at all.
>> 
>> —
>> Denis
>> 
>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isapego@apache.org> wrote:
>>> 
>>> Hi, Igniters,
>>> 
>>> I'm going to start working on the SSL support for the ODBC
>>> connection and I need to hear your opinion.
>>> 
>>> For the client side I'm going to use OpenSSL library [1], which is
>>> standard de-facto for C/C++ applications. Unfortunately its
>>> licence is not fully compatible with Apache Licence, so its going
>>> to require from users to install OpenSSL themselves.
>>> 
>>> For the driver I'm going to add following options to connection
>>> string:
>>> ssl_mode - Determines whether or with what priority a SSL
>>>   connection will be negotiated with the server. Options
>>>   here are disable, allow, prefer, require.
>>> ssl_key_file - Path to the location for the secret key used for the
>>>   client certificate.
>>> ssl_cert_file - Path to the file of the client SSL certificate.
>>> 
>>> If the ssl_mode is not set to "disable" then ODBC driver will
>>> attempt to find and load OpenSSL library before establishing
>>> connection.
>>> 
>>> For the server side there is already SslContextFactory in the
>>> IgniteConfiguration, which is used by all components to determine
>>> if the SSL enabled and to figure out connection parameters, so
>>> I think it's a good idea to just re-use it for the
>> ClientListenerProcessorю
>>> 
>>> What do you guys think?
>>> 
>>> [1] - https://www.openssl.org
>>> 
>>> Best Regards,
>>> Igor
>> 
>> 


Mime
View raw message