ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Sapego <isap...@apache.org>
Subject Re: SSL for ODBC connection
Date Tue, 07 Nov 2017 09:23:45 GMT
Hi Denis,

> Could you explain the difference between “allow, prefer and require”
modes?
allow - Client will first try connecting without SSL, and then fallback to
SSL if it is not allowed to connect without SSL;
prefer - Client will first try connecting using SSL, and then fallback to
non-SSL if SSL is not supported by the server;
disable - Client will only connect using SSL and return error if failed to
successfully do so.

> BTW, do we really need to have the “disable” one? Guess that having
ssl_mode set to “disable” will have the same effect as not setting the
ssl_mode at all.
This is the matter of the default value of the ssl_mode option. The way you
propose it means that you still has "disable" option, it is just is not
explicit.

Best Regards,
Igor

On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dmagda@apache.org> wrote:

> Hi Igor,
>
> Could you explain the difference between “allow, prefer and require” modes?
>
> BTW, do we really need to have the “disable” one? Guess that having
> ssl_mode set to “disable” will have the same effect as not setting the
> ssl_mode at all.
>
> —
> Denis
>
> > On Nov 3, 2017, at 9:04 AM, Igor Sapego <isapego@apache.org> wrote:
> >
> > Hi, Igniters,
> >
> > I'm going to start working on the SSL support for the ODBC
> > connection and I need to hear your opinion.
> >
> > For the client side I'm going to use OpenSSL library [1], which is
> > standard de-facto for C/C++ applications. Unfortunately its
> > licence is not fully compatible with Apache Licence, so its going
> > to require from users to install OpenSSL themselves.
> >
> > For the driver I'm going to add following options to connection
> > string:
> > ssl_mode - Determines whether or with what priority a SSL
> >    connection will be negotiated with the server. Options
> >    here are disable, allow, prefer, require.
> > ssl_key_file - Path to the location for the secret key used for the
> >    client certificate.
> > ssl_cert_file - Path to the file of the client SSL certificate.
> >
> > If the ssl_mode is not set to "disable" then ODBC driver will
> > attempt to find and load OpenSSL library before establishing
> > connection.
> >
> > For the server side there is already SslContextFactory in the
> > IgniteConfiguration, which is used by all components to determine
> > if the SSL enabled and to figure out connection parameters, so
> > I think it's a good idea to just re-use it for the
> ClientListenerProcessorю
> >
> > What do you guys think?
> >
> > [1] - https://www.openssl.org
> >
> > Best Regards,
> > Igor
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message