Il giorno lun 21 mar 2022 alle ore 16:31 Yunze Xu <y...@streamnative.io.invalid> ha scritto: > > Hi all, > > Recently I found a document error when configuring Pulsar client for TLS > encryption. See https://github.com/apache/pulsar/issues/14762. However, the > code > example in the official documents is more intuitive. > > See https://pulsar.apache.org/docs/en/security-tls-transport/#java-client, the > example code doesn't configure `AuthenticationTls`, but it is required once > TLS > encryption is enabled, even if TLS authentication is not enabled. Because the > client side can only send a SSL handshake via `AuthenticationTls`. It would be > confused. > > Since the cert file and the key file are generated using a CA, whose path is > specified by `tlsTrustCertsFilePath` method, I think it would be possible to > generate a cert and a key file automatically. We only need to specify a common > name, which represents the role when authentication is enabled.
Usually a service cannot generate a "valid" certificate automatically, it MUST be signed by a CA. We may add an option to automatically generate a certificate (and a CA) but that will work only for DEV environments. Enrico > > My initial design is, when client configures the `tlsTrustCertsFilePath`: > - If no authentication plugin is enabled, generate the cert and key files > automatically using a default common name. > - Otherwise, use the cert and key files specified in `AuthenticationTls`. > > The benefit is, when you want to pass the TLS authentication, you must > configure > `AuthenticationTls` at client side, while you only needs to configure > `tlsTrustCertsFilePath` if broker side only enables TLS encryption. > > What do you think? Is there a better solution? > > Thanks, > Yunze > > > >
