ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Magda <dma...@apache.org>
Subject Re: SSL for ODBC connection
Date Fri, 26 Jan 2018 23:22:31 GMT
Igor, 

Why it might be not enough to have ssl_enabled=[true | false]? Could you give an example since
you’ve already did a research?

—
Denis

> On Jan 26, 2018, at 6:08 AM, Igor Sapego <isapego@apache.org> wrote:
> 
> Guys,
> 
> The SSL for the ODBC is pretty much ready and working, so
> here is update on the current state I want to share with you.
> And of course, I'd like to to hear your opinion on this one.
> 
> First of all, I've checked some discussions about the ssl_mode
> approaches in different ODBC drivers and it seems to me that
> there is a big chance that simple ssl_enabled=[true|false]
> approach is not going to be enough for our users.
> 
> So I propose a compromise for now. The compromise is to use
> ssl_mode=[require|disable] parameter right now, which is pretty
> much as easy to understand as ssl_enabled=[true|false], but
> leaves us a possibility to add other modes in future if we need
> them.
> 
> So the full set of SSL parameters now is the following:
> ssl_mode=[require|disable]
> ssl_key_file=<path_to_private_key>
> ssl_cert_file=<path_to_client_certificate>
> ssl_ca_file=<path_to_trusted_certificates>
> 
> Thoughts?
> 
> Best Regards,
> Igor
> 
> On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <dmagda@apache.org> wrote:
> 
>> This configuration approach looks clearer to me. +1 for it.
>> 
>> —
>> Denis
>> 
>>> On Nov 20, 2017, at 12:42 AM, Igor Sapego <isapego@apache.org> wrote:
>>> 
>>> Ok, then how about the following set of options:
>>> 
>>> ssl_enabled=[true|false]
>>> ssl_key_file=<path_to_secret_key>
>>> ssl_cert_file=<path_to_certificate>
>>> 
>>> 
>>> Best Regards,
>>> Igor
>>> 
>>> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <vozerov@gridgain.com>
>>> wrote:
>>> 
>>>> I think it would be enough to have a single switch for now.
>>>> 
>>>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <dmagda@apache.org> wrote:
>>>> 
>>>>> Igor,
>>>>> 
>>>>> Thanks for the clarification. Please file a ticket if nobody else
>> shares
>>>> a
>>>>> feedback soon.
>>>>> 
>>>>> —
>>>>> Denis
>>>>> 
>>>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <isapego@apache.org>
wrote:
>>>>>> 
>>>>>> Hi Denis,
>>>>>> 
>>>>>>> Could you explain the difference between “allow, prefer and
require”
>>>>>> modes?
>>>>>> allow - Client will first try connecting without SSL, and then
>> fallback
>>>>> to
>>>>>> SSL if it is not allowed to connect without SSL;
>>>>>> prefer - Client will first try connecting using SSL, and then fallback
>>>> to
>>>>>> non-SSL if SSL is not supported by the server;
>>>>>> disable - Client will only connect using SSL and return error if
>> failed
>>>>> to
>>>>>> successfully do so.
>>>>>> 
>>>>>>> BTW, do we really need to have the “disable” one? Guess that
having
>>>>>> ssl_mode set to “disable” will have the same effect as not setting
the
>>>>>> ssl_mode at all.
>>>>>> This is the matter of the default value of the ssl_mode option. The
>> way
>>>>> you
>>>>>> propose it means that you still has "disable" option, it is just
is
>> not
>>>>>> explicit.
>>>>>> 
>>>>>> Best Regards,
>>>>>> Igor
>>>>>> 
>>>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dmagda@apache.org>
>>>> wrote:
>>>>>> 
>>>>>>> Hi Igor,
>>>>>>> 
>>>>>>> Could you explain the difference between “allow, prefer and
require”
>>>>> modes?
>>>>>>> 
>>>>>>> BTW, do we really need to have the “disable” one? Guess that
having
>>>>>>> ssl_mode set to “disable” will have the same effect as not
setting
>> the
>>>>>>> ssl_mode at all.
>>>>>>> 
>>>>>>> —
>>>>>>> Denis
>>>>>>> 
>>>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isapego@apache.org>
wrote:
>>>>>>>> 
>>>>>>>> Hi, Igniters,
>>>>>>>> 
>>>>>>>> I'm going to start working on the SSL support for the ODBC
>>>>>>>> connection and I need to hear your opinion.
>>>>>>>> 
>>>>>>>> For the client side I'm going to use OpenSSL library [1],
which is
>>>>>>>> standard de-facto for C/C++ applications. Unfortunately its
>>>>>>>> licence is not fully compatible with Apache Licence, so its
going
>>>>>>>> to require from users to install OpenSSL themselves.
>>>>>>>> 
>>>>>>>> For the driver I'm going to add following options to connection
>>>>>>>> string:
>>>>>>>> ssl_mode - Determines whether or with what priority a SSL
>>>>>>>> connection will be negotiated with the server. Options
>>>>>>>> here are disable, allow, prefer, require.
>>>>>>>> ssl_key_file - Path to the location for the secret key used
for the
>>>>>>>> client certificate.
>>>>>>>> ssl_cert_file - Path to the file of the client SSL certificate.
>>>>>>>> 
>>>>>>>> If the ssl_mode is not set to "disable" then ODBC driver
will
>>>>>>>> attempt to find and load OpenSSL library before establishing
>>>>>>>> connection.
>>>>>>>> 
>>>>>>>> For the server side there is already SslContextFactory in
the
>>>>>>>> IgniteConfiguration, which is used by all components to determine
>>>>>>>> if the SSL enabled and to figure out connection parameters,
so
>>>>>>>> I think it's a good idea to just re-use it for the
>>>>>>> ClientListenerProcessorю
>>>>>>>> 
>>>>>>>> What do you guys think?
>>>>>>>> 
>>>>>>>> [1] - https://www.openssl.org
>>>>>>>> 
>>>>>>>> Best Regards,
>>>>>>>> Igor
>>>>>>> 
>>>>>>> 
>>>>> 
>>>>> 
>>>> 
>> 
>> 


Mime
View raw message