Ilya, Thanks for picking up this belated task. The solution you found seems ideal to me. I would go for it.
BTW, not sure we need an IEP for this improvement. -- Denis On Thu, May 3, 2018 at 7:54 AM, Ilya Kasnacheev <ilya.kasnach...@gmail.com> wrote: > A follow up on https://issues.apache.org/jira/browse/IGNITE-6167 > > Some users want to specify a list of ciphers to use in their controlled > environment, limiting to a select few ciphers with ordering. > > I have tried to implement the work-around it myself, and found that amount > of code and copy-paste to be seriously non-trivial. > > I have found a following library: > https://github.com/soulwing/ssl-context-tools - It allows specifying a > list > of ciphers, but unfortunately it doesn't work with Ignite since it can't > create unbound sockets :) Its customization options are also limited. > > Having said that, I propose the following change to API: > Let's have IgniteConfiguration.setSslParameters(SSLParameters parameters) > Yeah, let's just use this class everywhere: > https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html > It already contains a decent number of configurable parameters. I will > check it, but it should be Spring-initializable by the looks. > > This means we have > IgniteConfiguration.setSslContextFactory(Factory<SSLContext>) and > IgniteConfiguration.setSslParameters(SSLParameters) with full forward > compatibility. > > NB: We will also set "need client auth" for node-node communication and > discovery, but it will be configurable for other clients, REST, etc. I > think it would make sense to have separate SSL parameters for client > connectors, however I'm not sure so I'll try to minimize impact for now. > > WDYT? I'll create an IEP if this looks good to you, fellow igniters. > > > -- > Ilya Kasnacheev >
