[
https://issues.apache.org/jira/browse/BOOKKEEPER-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13697489#comment-13697489
]
Sijie Guo edited comment on BOOKKEEPER-588 at 7/2/13 4:10 AM:
--------------------------------------------------------------
{quote}
btw, have you guys found a usecase for SSL support?
{quote}
I don't know such case yet. somehow ssl is required for protecting some
sensitive data, so I think if you want to use bookkeeper to store sensitive
data, it might be required over a SSL encrypted channel.
{quote}
StartTLS is pretty standard practice, smtp, imap, pop, ldap, xmpp all use it.
{quote}
if you checked any existed services
(https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers), they would
support both secure and non-secure ports. for example, imap port is 143, while
SSL/TLS encrypted IMAP used port 993.
I don't think mixing non-ssl port with ssl port together is a good practice,
since it would make debugging and troubleshooting very complicated. But if
separating non-ssl port from ssl port, it's straightforward for any clients to
disable ssl port without paying any costs.
{quote}
And if a bookie has been non-ssl only in the past? does its id change? If so,
what happens when a client tries to read a ledger which was on that bookie.
{quote}
no, if a bookie has been non-ssl only in the past? it should start with
previous installation since the cookie already has its previous identifier. so
any bookie client connects to this bookie would only use its non-ssl port.
if a bookie wants to upgrade to enable ssl support, it needs to run an admin
tool provided in BOOKKEEPER-634 to change its identifier. Changing the
identifier is somehow needed by BOOKKEEPER-639, we could leverage the tasks in
BOOKKEEPER-634 to achieve it.
And for SSL upgrade, admin could decide whether to change the identifier in
ledger metadata or not. If not, we could just change the cookie.
was (Author: hustlmsp):
{quote}
btw, have you guys found a usecase for SSL support?
{quote}
I don't know such case yet. somehow ssl is required for protecting some
sensitive data, so I think if you want to use bookkeeper to store sensitive
data, it might be required over a SSL encrypted channel.
{quote}
StartTLS is pretty standard practice, smtp, imap, pop, ldap, xmpp all use it.
{quote}
if you checked any existed services
(https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers), they would
support both secure and non-secure ports. for example, imap port is 143, while
SSL/TLS encrypted IMAP used port 993.
I don't think mixing non-ssl port with ssl port together is a good practice,
since it would make debugging and troubleshooting very complicated. and it's
straightforward for any clients to disable ssl port without paying any costs.
{quote}
And if a bookie has been non-ssl only in the past? does its id change? If so,
what happens when a client tries to read a ledger which was on that bookie.
{quote}
no, if a bookie has been non-ssl only in the past? it should start with
previous installation since the cookie already has its previous identifier. so
any bookie client connects to this bookie would only use its non-ssl port.
if a bookie wants to upgrade to enable ssl support, it needs to run an admin
tool provided in BOOKKEEPER-634 to change its identifier. Changing the
identifier is somehow needed by BOOKKEEPER-639, we could leverage the tasks in
BOOKKEEPER-634 to achieve it.
And for SSL upgrade, admin could decide whether to change the identifier in
ledger metadata or not. If not, we could just change the cookie.
> SSL support
> -----------
>
> Key: BOOKKEEPER-588
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-588
> Project: Bookkeeper
> Issue Type: Sub-task
> Reporter: Ivan Kelly
> Assignee: Ivan Kelly
> Fix For: 4.3.0
>
> Attachments: 0004-BOOKKEEPER-588-SSL-support-for-bookkeeper.patch
>
>
> SSL support using startTLS
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
