ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Magda <dma...@apache.org>
Subject Re: SSL for ODBC connection
Date Tue, 30 Jan 2018 00:39:11 GMT
Igor,

Thanks for the references. Now it makes total sense to me. Let’s go for your approach suggested
earlier.

—
Denis

> On Jan 29, 2018, at 3:50 AM, Igor Sapego <isapego@gridgain.com> wrote:
> 
> Denis,
> 
> For example, there are often such options as "verify-ca" and "verify-full".
> [1-3]
> Moreover, this approach seems more consistent with other solutions and thus
> more familiar to user.
> 
> [1] - https://www.postgresql.org/docs/9.1/static/libpq-ssl.html
> [2] -
> https://docs.oracle.com/cd/E17952_01/connector-odbc-en/connector-odbc-configuration-connection-parameters.html
> [3] -
> https://dev.mysql.com/doc/connector-odbc/en/connector-odbc-configuration-connection-parameters.html
> 
> Best Regards,
> Igor
> 
> On Sat, Jan 27, 2018 at 2:22 AM, Denis Magda <dmagda@apache.org> wrote:
> 
>> Igor,
>> 
>> Why it might be not enough to have ssl_enabled=[true | false]? Could you
>> give an example since you’ve already did a research?
>> 
>> —
>> Denis
>> 
>>> On Jan 26, 2018, at 6:08 AM, Igor Sapego <isapego@apache.org> wrote:
>>> 
>>> Guys,
>>> 
>>> The SSL for the ODBC is pretty much ready and working, so
>>> here is update on the current state I want to share with you.
>>> And of course, I'd like to to hear your opinion on this one.
>>> 
>>> First of all, I've checked some discussions about the ssl_mode
>>> approaches in different ODBC drivers and it seems to me that
>>> there is a big chance that simple ssl_enabled=[true|false]
>>> approach is not going to be enough for our users.
>>> 
>>> So I propose a compromise for now. The compromise is to use
>>> ssl_mode=[require|disable] parameter right now, which is pretty
>>> much as easy to understand as ssl_enabled=[true|false], but
>>> leaves us a possibility to add other modes in future if we need
>>> them.
>>> 
>>> So the full set of SSL parameters now is the following:
>>> ssl_mode=[require|disable]
>>> ssl_key_file=<path_to_private_key>
>>> ssl_cert_file=<path_to_client_certificate>
>>> ssl_ca_file=<path_to_trusted_certificates>
>>> 
>>> Thoughts?
>>> 
>>> Best Regards,
>>> Igor
>>> 
>>> On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <dmagda@apache.org> wrote:
>>> 
>>>> This configuration approach looks clearer to me. +1 for it.
>>>> 
>>>> —
>>>> Denis
>>>> 
>>>>> On Nov 20, 2017, at 12:42 AM, Igor Sapego <isapego@apache.org>
wrote:
>>>>> 
>>>>> Ok, then how about the following set of options:
>>>>> 
>>>>> ssl_enabled=[true|false]
>>>>> ssl_key_file=<path_to_secret_key>
>>>>> ssl_cert_file=<path_to_certificate>
>>>>> 
>>>>> 
>>>>> Best Regards,
>>>>> Igor
>>>>> 
>>>>> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <vozerov@gridgain.com
>>> 
>>>>> wrote:
>>>>> 
>>>>>> I think it would be enough to have a single switch for now.
>>>>>> 
>>>>>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <dmagda@apache.org>
>> wrote:
>>>>>> 
>>>>>>> Igor,
>>>>>>> 
>>>>>>> Thanks for the clarification. Please file a ticket if nobody
else
>>>> shares
>>>>>> a
>>>>>>> feedback soon.
>>>>>>> 
>>>>>>> —
>>>>>>> Denis
>>>>>>> 
>>>>>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <isapego@apache.org>
wrote:
>>>>>>>> 
>>>>>>>> Hi Denis,
>>>>>>>> 
>>>>>>>>> Could you explain the difference between “allow, prefer
and
>> require”
>>>>>>>> modes?
>>>>>>>> allow - Client will first try connecting without SSL, and
then
>>>> fallback
>>>>>>> to
>>>>>>>> SSL if it is not allowed to connect without SSL;
>>>>>>>> prefer - Client will first try connecting using SSL, and
then
>> fallback
>>>>>> to
>>>>>>>> non-SSL if SSL is not supported by the server;
>>>>>>>> disable - Client will only connect using SSL and return error
if
>>>> failed
>>>>>>> to
>>>>>>>> successfully do so.
>>>>>>>> 
>>>>>>>>> BTW, do we really need to have the “disable” one?
Guess that having
>>>>>>>> ssl_mode set to “disable” will have the same effect as
not setting
>> the
>>>>>>>> ssl_mode at all.
>>>>>>>> This is the matter of the default value of the ssl_mode option.
The
>>>> way
>>>>>>> you
>>>>>>>> propose it means that you still has "disable" option, it
is just is
>>>> not
>>>>>>>> explicit.
>>>>>>>> 
>>>>>>>> Best Regards,
>>>>>>>> Igor
>>>>>>>> 
>>>>>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dmagda@apache.org>
>>>>>> wrote:
>>>>>>>> 
>>>>>>>>> Hi Igor,
>>>>>>>>> 
>>>>>>>>> Could you explain the difference between “allow, prefer
and
>> require”
>>>>>>> modes?
>>>>>>>>> 
>>>>>>>>> BTW, do we really need to have the “disable” one?
Guess that having
>>>>>>>>> ssl_mode set to “disable” will have the same effect
as not setting
>>>> the
>>>>>>>>> ssl_mode at all.
>>>>>>>>> 
>>>>>>>>> —
>>>>>>>>> Denis
>>>>>>>>> 
>>>>>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isapego@apache.org>
>> wrote:
>>>>>>>>>> 
>>>>>>>>>> Hi, Igniters,
>>>>>>>>>> 
>>>>>>>>>> I'm going to start working on the SSL support for
the ODBC
>>>>>>>>>> connection and I need to hear your opinion.
>>>>>>>>>> 
>>>>>>>>>> For the client side I'm going to use OpenSSL library
[1], which is
>>>>>>>>>> standard de-facto for C/C++ applications. Unfortunately
its
>>>>>>>>>> licence is not fully compatible with Apache Licence,
so its going
>>>>>>>>>> to require from users to install OpenSSL themselves.
>>>>>>>>>> 
>>>>>>>>>> For the driver I'm going to add following options
to connection
>>>>>>>>>> string:
>>>>>>>>>> ssl_mode - Determines whether or with what priority
a SSL
>>>>>>>>>> connection will be negotiated with the server. Options
>>>>>>>>>> here are disable, allow, prefer, require.
>>>>>>>>>> ssl_key_file - Path to the location for the secret
key used for
>> the
>>>>>>>>>> client certificate.
>>>>>>>>>> ssl_cert_file - Path to the file of the client SSL
certificate.
>>>>>>>>>> 
>>>>>>>>>> If the ssl_mode is not set to "disable" then ODBC
driver will
>>>>>>>>>> attempt to find and load OpenSSL library before establishing
>>>>>>>>>> connection.
>>>>>>>>>> 
>>>>>>>>>> For the server side there is already SslContextFactory
in the
>>>>>>>>>> IgniteConfiguration, which is used by all components
to determine
>>>>>>>>>> if the SSL enabled and to figure out connection parameters,
so
>>>>>>>>>> I think it's a good idea to just re-use it for the
>>>>>>>>> ClientListenerProcessorю
>>>>>>>>>> 
>>>>>>>>>> What do you guys think?
>>>>>>>>>> 
>>>>>>>>>> [1] - https://www.openssl.org
>>>>>>>>>> 
>>>>>>>>>> Best Regards,
>>>>>>>>>> Igor
>>>>>>>>> 
>>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>> 
>>>> 
>> 
>> 


Mime
View raw message