Agree with Igor, we should be able to configure verification in future, and this approach seems to be widely used.
On Mon, Jan 29, 2018 at 2:50 PM, Igor Sapego <isap...@gridgain.com> wrote: > Denis, > > For example, there are often such options as "verify-ca" and "verify-full". > [1-3] > Moreover, this approach seems more consistent with other solutions and thus > more familiar to user. > > [1] - https://www.postgresql.org/docs/9.1/static/libpq-ssl.html > [2] - > https://docs.oracle.com/cd/E17952_01/connector-odbc-en/ > connector-odbc-configuration-connection-parameters.html > [3] - > https://dev.mysql.com/doc/connector-odbc/en/connector- > odbc-configuration-connection-parameters.html > > Best Regards, > Igor > > On Sat, Jan 27, 2018 at 2:22 AM, Denis Magda <dma...@apache.org> wrote: > > > Igor, > > > > Why it might be not enough to have ssl_enabled=[true | false]? Could you > > give an example since you’ve already did a research? > > > > — > > Denis > > > > > On Jan 26, 2018, at 6:08 AM, Igor Sapego <isap...@apache.org> wrote: > > > > > > Guys, > > > > > > The SSL for the ODBC is pretty much ready and working, so > > > here is update on the current state I want to share with you. > > > And of course, I'd like to to hear your opinion on this one. > > > > > > First of all, I've checked some discussions about the ssl_mode > > > approaches in different ODBC drivers and it seems to me that > > > there is a big chance that simple ssl_enabled=[true|false] > > > approach is not going to be enough for our users. > > > > > > So I propose a compromise for now. The compromise is to use > > > ssl_mode=[require|disable] parameter right now, which is pretty > > > much as easy to understand as ssl_enabled=[true|false], but > > > leaves us a possibility to add other modes in future if we need > > > them. > > > > > > So the full set of SSL parameters now is the following: > > > ssl_mode=[require|disable] > > > ssl_key_file=<path_to_private_key> > > > ssl_cert_file=<path_to_client_certificate> > > > ssl_ca_file=<path_to_trusted_certificates> > > > > > > Thoughts? > > > > > > Best Regards, > > > Igor > > > > > > On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <dma...@apache.org> > wrote: > > > > > >> This configuration approach looks clearer to me. +1 for it. > > >> > > >> — > > >> Denis > > >> > > >>> On Nov 20, 2017, at 12:42 AM, Igor Sapego <isap...@apache.org> > wrote: > > >>> > > >>> Ok, then how about the following set of options: > > >>> > > >>> ssl_enabled=[true|false] > > >>> ssl_key_file=<path_to_secret_key> > > >>> ssl_cert_file=<path_to_certificate> > > >>> > > >>> > > >>> Best Regards, > > >>> Igor > > >>> > > >>> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov < > voze...@gridgain.com > > > > > >>> wrote: > > >>> > > >>>> I think it would be enough to have a single switch for now. > > >>>> > > >>>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <dma...@apache.org> > > wrote: > > >>>> > > >>>>> Igor, > > >>>>> > > >>>>> Thanks for the clarification. Please file a ticket if nobody else > > >> shares > > >>>> a > > >>>>> feedback soon. > > >>>>> > > >>>>> — > > >>>>> Denis > > >>>>> > > >>>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <isap...@apache.org> > wrote: > > >>>>>> > > >>>>>> Hi Denis, > > >>>>>> > > >>>>>>> Could you explain the difference between “allow, prefer and > > require” > > >>>>>> modes? > > >>>>>> allow - Client will first try connecting without SSL, and then > > >> fallback > > >>>>> to > > >>>>>> SSL if it is not allowed to connect without SSL; > > >>>>>> prefer - Client will first try connecting using SSL, and then > > fallback > > >>>> to > > >>>>>> non-SSL if SSL is not supported by the server; > > >>>>>> disable - Client will only connect using SSL and return error if > > >> failed > > >>>>> to > > >>>>>> successfully do so. > > >>>>>> > > >>>>>>> BTW, do we really need to have the “disable” one? Guess that > having > > >>>>>> ssl_mode set to “disable” will have the same effect as not setting > > the > > >>>>>> ssl_mode at all. > > >>>>>> This is the matter of the default value of the ssl_mode option. > The > > >> way > > >>>>> you > > >>>>>> propose it means that you still has "disable" option, it is just > is > > >> not > > >>>>>> explicit. > > >>>>>> > > >>>>>> Best Regards, > > >>>>>> Igor > > >>>>>> > > >>>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dma...@apache.org> > > >>>> wrote: > > >>>>>> > > >>>>>>> Hi Igor, > > >>>>>>> > > >>>>>>> Could you explain the difference between “allow, prefer and > > require” > > >>>>> modes? > > >>>>>>> > > >>>>>>> BTW, do we really need to have the “disable” one? Guess that > having > > >>>>>>> ssl_mode set to “disable” will have the same effect as not > setting > > >> the > > >>>>>>> ssl_mode at all. > > >>>>>>> > > >>>>>>> — > > >>>>>>> Denis > > >>>>>>> > > >>>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isap...@apache.org> > > wrote: > > >>>>>>>> > > >>>>>>>> Hi, Igniters, > > >>>>>>>> > > >>>>>>>> I'm going to start working on the SSL support for the ODBC > > >>>>>>>> connection and I need to hear your opinion. > > >>>>>>>> > > >>>>>>>> For the client side I'm going to use OpenSSL library [1], which > is > > >>>>>>>> standard de-facto for C/C++ applications. Unfortunately its > > >>>>>>>> licence is not fully compatible with Apache Licence, so its > going > > >>>>>>>> to require from users to install OpenSSL themselves. > > >>>>>>>> > > >>>>>>>> For the driver I'm going to add following options to connection > > >>>>>>>> string: > > >>>>>>>> ssl_mode - Determines whether or with what priority a SSL > > >>>>>>>> connection will be negotiated with the server. Options > > >>>>>>>> here are disable, allow, prefer, require. > > >>>>>>>> ssl_key_file - Path to the location for the secret key used for > > the > > >>>>>>>> client certificate. > > >>>>>>>> ssl_cert_file - Path to the file of the client SSL certificate. > > >>>>>>>> > > >>>>>>>> If the ssl_mode is not set to "disable" then ODBC driver will > > >>>>>>>> attempt to find and load OpenSSL library before establishing > > >>>>>>>> connection. > > >>>>>>>> > > >>>>>>>> For the server side there is already SslContextFactory in the > > >>>>>>>> IgniteConfiguration, which is used by all components to > determine > > >>>>>>>> if the SSL enabled and to figure out connection parameters, so > > >>>>>>>> I think it's a good idea to just re-use it for the > > >>>>>>> ClientListenerProcessorю > > >>>>>>>> > > >>>>>>>> What do you guys think? > > >>>>>>>> > > >>>>>>>> [1] - https://www.openssl.org > > >>>>>>>> > > >>>>>>>> Best Regards, > > >>>>>>>> Igor > > >>>>>>> > > >>>>>>> > > >>>>> > > >>>>> > > >>>> > > >> > > >> > > > > >
