I think it would be enough to have a single switch for now. On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <dma...@apache.org> wrote:
> Igor, > > Thanks for the clarification. Please file a ticket if nobody else shares a > feedback soon. > > — > Denis > > > On Nov 7, 2017, at 1:23 AM, Igor Sapego <isap...@apache.org> wrote: > > > > Hi Denis, > > > >> Could you explain the difference between “allow, prefer and require” > > modes? > > allow - Client will first try connecting without SSL, and then fallback > to > > SSL if it is not allowed to connect without SSL; > > prefer - Client will first try connecting using SSL, and then fallback to > > non-SSL if SSL is not supported by the server; > > disable - Client will only connect using SSL and return error if failed > to > > successfully do so. > > > >> BTW, do we really need to have the “disable” one? Guess that having > > ssl_mode set to “disable” will have the same effect as not setting the > > ssl_mode at all. > > This is the matter of the default value of the ssl_mode option. The way > you > > propose it means that you still has "disable" option, it is just is not > > explicit. > > > > Best Regards, > > Igor > > > > On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dma...@apache.org> wrote: > > > >> Hi Igor, > >> > >> Could you explain the difference between “allow, prefer and require” > modes? > >> > >> BTW, do we really need to have the “disable” one? Guess that having > >> ssl_mode set to “disable” will have the same effect as not setting the > >> ssl_mode at all. > >> > >> — > >> Denis > >> > >>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isap...@apache.org> wrote: > >>> > >>> Hi, Igniters, > >>> > >>> I'm going to start working on the SSL support for the ODBC > >>> connection and I need to hear your opinion. > >>> > >>> For the client side I'm going to use OpenSSL library [1], which is > >>> standard de-facto for C/C++ applications. Unfortunately its > >>> licence is not fully compatible with Apache Licence, so its going > >>> to require from users to install OpenSSL themselves. > >>> > >>> For the driver I'm going to add following options to connection > >>> string: > >>> ssl_mode - Determines whether or with what priority a SSL > >>> connection will be negotiated with the server. Options > >>> here are disable, allow, prefer, require. > >>> ssl_key_file - Path to the location for the secret key used for the > >>> client certificate. > >>> ssl_cert_file - Path to the file of the client SSL certificate. > >>> > >>> If the ssl_mode is not set to "disable" then ODBC driver will > >>> attempt to find and load OpenSSL library before establishing > >>> connection. > >>> > >>> For the server side there is already SslContextFactory in the > >>> IgniteConfiguration, which is used by all components to determine > >>> if the SSL enabled and to figure out connection parameters, so > >>> I think it's a good idea to just re-use it for the > >> ClientListenerProcessorю > >>> > >>> What do you guys think? > >>> > >>> [1] - https://www.openssl.org > >>> > >>> Best Regards, > >>> Igor > >> > >> > >
