Denis, For example, there are often such options as "verify-ca" and "verify-full". [1-3] Moreover, this approach seems more consistent with other solutions and thus more familiar to user.
[1] - https://www.postgresql.org/docs/9.1/static/libpq-ssl.html [2] - https://docs.oracle.com/cd/E17952_01/connector-odbc-en/connector-odbc-configuration-connection-parameters.html [3] - https://dev.mysql.com/doc/connector-odbc/en/connector-odbc-configuration-connection-parameters.html Best Regards, Igor On Sat, Jan 27, 2018 at 2:22 AM, Denis Magda <dma...@apache.org> wrote: > Igor, > > Why it might be not enough to have ssl_enabled=[true | false]? Could you > give an example since you’ve already did a research? > > — > Denis > > > On Jan 26, 2018, at 6:08 AM, Igor Sapego <isap...@apache.org> wrote: > > > > Guys, > > > > The SSL for the ODBC is pretty much ready and working, so > > here is update on the current state I want to share with you. > > And of course, I'd like to to hear your opinion on this one. > > > > First of all, I've checked some discussions about the ssl_mode > > approaches in different ODBC drivers and it seems to me that > > there is a big chance that simple ssl_enabled=[true|false] > > approach is not going to be enough for our users. > > > > So I propose a compromise for now. The compromise is to use > > ssl_mode=[require|disable] parameter right now, which is pretty > > much as easy to understand as ssl_enabled=[true|false], but > > leaves us a possibility to add other modes in future if we need > > them. > > > > So the full set of SSL parameters now is the following: > > ssl_mode=[require|disable] > > ssl_key_file=<path_to_private_key> > > ssl_cert_file=<path_to_client_certificate> > > ssl_ca_file=<path_to_trusted_certificates> > > > > Thoughts? > > > > Best Regards, > > Igor > > > > On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <dma...@apache.org> wrote: > > > >> This configuration approach looks clearer to me. +1 for it. > >> > >> — > >> Denis > >> > >>> On Nov 20, 2017, at 12:42 AM, Igor Sapego <isap...@apache.org> wrote: > >>> > >>> Ok, then how about the following set of options: > >>> > >>> ssl_enabled=[true|false] > >>> ssl_key_file=<path_to_secret_key> > >>> ssl_cert_file=<path_to_certificate> > >>> > >>> > >>> Best Regards, > >>> Igor > >>> > >>> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <voze...@gridgain.com > > > >>> wrote: > >>> > >>>> I think it would be enough to have a single switch for now. > >>>> > >>>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <dma...@apache.org> > wrote: > >>>> > >>>>> Igor, > >>>>> > >>>>> Thanks for the clarification. Please file a ticket if nobody else > >> shares > >>>> a > >>>>> feedback soon. > >>>>> > >>>>> — > >>>>> Denis > >>>>> > >>>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <isap...@apache.org> wrote: > >>>>>> > >>>>>> Hi Denis, > >>>>>> > >>>>>>> Could you explain the difference between “allow, prefer and > require” > >>>>>> modes? > >>>>>> allow - Client will first try connecting without SSL, and then > >> fallback > >>>>> to > >>>>>> SSL if it is not allowed to connect without SSL; > >>>>>> prefer - Client will first try connecting using SSL, and then > fallback > >>>> to > >>>>>> non-SSL if SSL is not supported by the server; > >>>>>> disable - Client will only connect using SSL and return error if > >> failed > >>>>> to > >>>>>> successfully do so. > >>>>>> > >>>>>>> BTW, do we really need to have the “disable” one? Guess that having > >>>>>> ssl_mode set to “disable” will have the same effect as not setting > the > >>>>>> ssl_mode at all. > >>>>>> This is the matter of the default value of the ssl_mode option. The > >> way > >>>>> you > >>>>>> propose it means that you still has "disable" option, it is just is > >> not > >>>>>> explicit. > >>>>>> > >>>>>> Best Regards, > >>>>>> Igor > >>>>>> > >>>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dma...@apache.org> > >>>> wrote: > >>>>>> > >>>>>>> Hi Igor, > >>>>>>> > >>>>>>> Could you explain the difference between “allow, prefer and > require” > >>>>> modes? > >>>>>>> > >>>>>>> BTW, do we really need to have the “disable” one? Guess that having > >>>>>>> ssl_mode set to “disable” will have the same effect as not setting > >> the > >>>>>>> ssl_mode at all. > >>>>>>> > >>>>>>> — > >>>>>>> Denis > >>>>>>> > >>>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isap...@apache.org> > wrote: > >>>>>>>> > >>>>>>>> Hi, Igniters, > >>>>>>>> > >>>>>>>> I'm going to start working on the SSL support for the ODBC > >>>>>>>> connection and I need to hear your opinion. > >>>>>>>> > >>>>>>>> For the client side I'm going to use OpenSSL library [1], which is > >>>>>>>> standard de-facto for C/C++ applications. Unfortunately its > >>>>>>>> licence is not fully compatible with Apache Licence, so its going > >>>>>>>> to require from users to install OpenSSL themselves. > >>>>>>>> > >>>>>>>> For the driver I'm going to add following options to connection > >>>>>>>> string: > >>>>>>>> ssl_mode - Determines whether or with what priority a SSL > >>>>>>>> connection will be negotiated with the server. Options > >>>>>>>> here are disable, allow, prefer, require. > >>>>>>>> ssl_key_file - Path to the location for the secret key used for > the > >>>>>>>> client certificate. > >>>>>>>> ssl_cert_file - Path to the file of the client SSL certificate. > >>>>>>>> > >>>>>>>> If the ssl_mode is not set to "disable" then ODBC driver will > >>>>>>>> attempt to find and load OpenSSL library before establishing > >>>>>>>> connection. > >>>>>>>> > >>>>>>>> For the server side there is already SslContextFactory in the > >>>>>>>> IgniteConfiguration, which is used by all components to determine > >>>>>>>> if the SSL enabled and to figure out connection parameters, so > >>>>>>>> I think it's a good idea to just re-use it for the > >>>>>>> ClientListenerProcessorю > >>>>>>>> > >>>>>>>> What do you guys think? > >>>>>>>> > >>>>>>>> [1] - https://www.openssl.org > >>>>>>>> > >>>>>>>> Best Regards, > >>>>>>>> Igor > >>>>>>> > >>>>>>> > >>>>> > >>>>> > >>>> > >> > >> > >
