Igor, Why it might be not enough to have ssl_enabled=[true | false]? Could you give an example since you’ve already did a research?
— Denis > On Jan 26, 2018, at 6:08 AM, Igor Sapego <isap...@apache.org> wrote: > > Guys, > > The SSL for the ODBC is pretty much ready and working, so > here is update on the current state I want to share with you. > And of course, I'd like to to hear your opinion on this one. > > First of all, I've checked some discussions about the ssl_mode > approaches in different ODBC drivers and it seems to me that > there is a big chance that simple ssl_enabled=[true|false] > approach is not going to be enough for our users. > > So I propose a compromise for now. The compromise is to use > ssl_mode=[require|disable] parameter right now, which is pretty > much as easy to understand as ssl_enabled=[true|false], but > leaves us a possibility to add other modes in future if we need > them. > > So the full set of SSL parameters now is the following: > ssl_mode=[require|disable] > ssl_key_file=<path_to_private_key> > ssl_cert_file=<path_to_client_certificate> > ssl_ca_file=<path_to_trusted_certificates> > > Thoughts? > > Best Regards, > Igor > > On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <dma...@apache.org> wrote: > >> This configuration approach looks clearer to me. +1 for it. >> >> — >> Denis >> >>> On Nov 20, 2017, at 12:42 AM, Igor Sapego <isap...@apache.org> wrote: >>> >>> Ok, then how about the following set of options: >>> >>> ssl_enabled=[true|false] >>> ssl_key_file=<path_to_secret_key> >>> ssl_cert_file=<path_to_certificate> >>> >>> >>> Best Regards, >>> Igor >>> >>> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <voze...@gridgain.com> >>> wrote: >>> >>>> I think it would be enough to have a single switch for now. >>>> >>>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <dma...@apache.org> wrote: >>>> >>>>> Igor, >>>>> >>>>> Thanks for the clarification. Please file a ticket if nobody else >> shares >>>> a >>>>> feedback soon. >>>>> >>>>> — >>>>> Denis >>>>> >>>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <isap...@apache.org> wrote: >>>>>> >>>>>> Hi Denis, >>>>>> >>>>>>> Could you explain the difference between “allow, prefer and require” >>>>>> modes? >>>>>> allow - Client will first try connecting without SSL, and then >> fallback >>>>> to >>>>>> SSL if it is not allowed to connect without SSL; >>>>>> prefer - Client will first try connecting using SSL, and then fallback >>>> to >>>>>> non-SSL if SSL is not supported by the server; >>>>>> disable - Client will only connect using SSL and return error if >> failed >>>>> to >>>>>> successfully do so. >>>>>> >>>>>>> BTW, do we really need to have the “disable” one? Guess that having >>>>>> ssl_mode set to “disable” will have the same effect as not setting the >>>>>> ssl_mode at all. >>>>>> This is the matter of the default value of the ssl_mode option. The >> way >>>>> you >>>>>> propose it means that you still has "disable" option, it is just is >> not >>>>>> explicit. >>>>>> >>>>>> Best Regards, >>>>>> Igor >>>>>> >>>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dma...@apache.org> >>>> wrote: >>>>>> >>>>>>> Hi Igor, >>>>>>> >>>>>>> Could you explain the difference between “allow, prefer and require” >>>>> modes? >>>>>>> >>>>>>> BTW, do we really need to have the “disable” one? Guess that having >>>>>>> ssl_mode set to “disable” will have the same effect as not setting >> the >>>>>>> ssl_mode at all. >>>>>>> >>>>>>> — >>>>>>> Denis >>>>>>> >>>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isap...@apache.org> wrote: >>>>>>>> >>>>>>>> Hi, Igniters, >>>>>>>> >>>>>>>> I'm going to start working on the SSL support for the ODBC >>>>>>>> connection and I need to hear your opinion. >>>>>>>> >>>>>>>> For the client side I'm going to use OpenSSL library [1], which is >>>>>>>> standard de-facto for C/C++ applications. Unfortunately its >>>>>>>> licence is not fully compatible with Apache Licence, so its going >>>>>>>> to require from users to install OpenSSL themselves. >>>>>>>> >>>>>>>> For the driver I'm going to add following options to connection >>>>>>>> string: >>>>>>>> ssl_mode - Determines whether or with what priority a SSL >>>>>>>> connection will be negotiated with the server. Options >>>>>>>> here are disable, allow, prefer, require. >>>>>>>> ssl_key_file - Path to the location for the secret key used for the >>>>>>>> client certificate. >>>>>>>> ssl_cert_file - Path to the file of the client SSL certificate. >>>>>>>> >>>>>>>> If the ssl_mode is not set to "disable" then ODBC driver will >>>>>>>> attempt to find and load OpenSSL library before establishing >>>>>>>> connection. >>>>>>>> >>>>>>>> For the server side there is already SslContextFactory in the >>>>>>>> IgniteConfiguration, which is used by all components to determine >>>>>>>> if the SSL enabled and to figure out connection parameters, so >>>>>>>> I think it's a good idea to just re-use it for the >>>>>>> ClientListenerProcessorю >>>>>>>> >>>>>>>> What do you guys think? >>>>>>>> >>>>>>>> [1] - https://www.openssl.org >>>>>>>> >>>>>>>> Best Regards, >>>>>>>> Igor >>>>>>> >>>>>>> >>>>> >>>>> >>>> >> >>
