Guys, The SSL for the ODBC is pretty much ready and working, so here is update on the current state I want to share with you. And of course, I'd like to to hear your opinion on this one.
First of all, I've checked some discussions about the ssl_mode approaches in different ODBC drivers and it seems to me that there is a big chance that simple ssl_enabled=[true|false] approach is not going to be enough for our users. So I propose a compromise for now. The compromise is to use ssl_mode=[require|disable] parameter right now, which is pretty much as easy to understand as ssl_enabled=[true|false], but leaves us a possibility to add other modes in future if we need them. So the full set of SSL parameters now is the following: ssl_mode=[require|disable] ssl_key_file=<path_to_private_key> ssl_cert_file=<path_to_client_certificate> ssl_ca_file=<path_to_trusted_certificates> Thoughts? Best Regards, Igor On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <dma...@apache.org> wrote: > This configuration approach looks clearer to me. +1 for it. > > — > Denis > > > On Nov 20, 2017, at 12:42 AM, Igor Sapego <isap...@apache.org> wrote: > > > > Ok, then how about the following set of options: > > > > ssl_enabled=[true|false] > > ssl_key_file=<path_to_secret_key> > > ssl_cert_file=<path_to_certificate> > > > > > > Best Regards, > > Igor > > > > On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <voze...@gridgain.com> > > wrote: > > > >> I think it would be enough to have a single switch for now. > >> > >> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <dma...@apache.org> wrote: > >> > >>> Igor, > >>> > >>> Thanks for the clarification. Please file a ticket if nobody else > shares > >> a > >>> feedback soon. > >>> > >>> — > >>> Denis > >>> > >>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <isap...@apache.org> wrote: > >>>> > >>>> Hi Denis, > >>>> > >>>>> Could you explain the difference between “allow, prefer and require” > >>>> modes? > >>>> allow - Client will first try connecting without SSL, and then > fallback > >>> to > >>>> SSL if it is not allowed to connect without SSL; > >>>> prefer - Client will first try connecting using SSL, and then fallback > >> to > >>>> non-SSL if SSL is not supported by the server; > >>>> disable - Client will only connect using SSL and return error if > failed > >>> to > >>>> successfully do so. > >>>> > >>>>> BTW, do we really need to have the “disable” one? Guess that having > >>>> ssl_mode set to “disable” will have the same effect as not setting the > >>>> ssl_mode at all. > >>>> This is the matter of the default value of the ssl_mode option. The > way > >>> you > >>>> propose it means that you still has "disable" option, it is just is > not > >>>> explicit. > >>>> > >>>> Best Regards, > >>>> Igor > >>>> > >>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dma...@apache.org> > >> wrote: > >>>> > >>>>> Hi Igor, > >>>>> > >>>>> Could you explain the difference between “allow, prefer and require” > >>> modes? > >>>>> > >>>>> BTW, do we really need to have the “disable” one? Guess that having > >>>>> ssl_mode set to “disable” will have the same effect as not setting > the > >>>>> ssl_mode at all. > >>>>> > >>>>> — > >>>>> Denis > >>>>> > >>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isap...@apache.org> wrote: > >>>>>> > >>>>>> Hi, Igniters, > >>>>>> > >>>>>> I'm going to start working on the SSL support for the ODBC > >>>>>> connection and I need to hear your opinion. > >>>>>> > >>>>>> For the client side I'm going to use OpenSSL library [1], which is > >>>>>> standard de-facto for C/C++ applications. Unfortunately its > >>>>>> licence is not fully compatible with Apache Licence, so its going > >>>>>> to require from users to install OpenSSL themselves. > >>>>>> > >>>>>> For the driver I'm going to add following options to connection > >>>>>> string: > >>>>>> ssl_mode - Determines whether or with what priority a SSL > >>>>>> connection will be negotiated with the server. Options > >>>>>> here are disable, allow, prefer, require. > >>>>>> ssl_key_file - Path to the location for the secret key used for the > >>>>>> client certificate. > >>>>>> ssl_cert_file - Path to the file of the client SSL certificate. > >>>>>> > >>>>>> If the ssl_mode is not set to "disable" then ODBC driver will > >>>>>> attempt to find and load OpenSSL library before establishing > >>>>>> connection. > >>>>>> > >>>>>> For the server side there is already SslContextFactory in the > >>>>>> IgniteConfiguration, which is used by all components to determine > >>>>>> if the SSL enabled and to figure out connection parameters, so > >>>>>> I think it's a good idea to just re-use it for the > >>>>> ClientListenerProcessorю > >>>>>> > >>>>>> What do you guys think? > >>>>>> > >>>>>> [1] - https://www.openssl.org > >>>>>> > >>>>>> Best Regards, > >>>>>> Igor > >>>>> > >>>>> > >>> > >>> > >> > >
