Igor, Thanks for the references. Now it makes total sense to me. Let’s go for your approach suggested earlier.
— Denis > On Jan 29, 2018, at 3:50 AM, Igor Sapego <isap...@gridgain.com> wrote: > > Denis, > > For example, there are often such options as "verify-ca" and "verify-full". > [1-3] > Moreover, this approach seems more consistent with other solutions and thus > more familiar to user. > > [1] - https://www.postgresql.org/docs/9.1/static/libpq-ssl.html > [2] - > https://docs.oracle.com/cd/E17952_01/connector-odbc-en/connector-odbc-configuration-connection-parameters.html > [3] - > https://dev.mysql.com/doc/connector-odbc/en/connector-odbc-configuration-connection-parameters.html > > Best Regards, > Igor > > On Sat, Jan 27, 2018 at 2:22 AM, Denis Magda <dma...@apache.org> wrote: > >> Igor, >> >> Why it might be not enough to have ssl_enabled=[true | false]? Could you >> give an example since you’ve already did a research? >> >> — >> Denis >> >>> On Jan 26, 2018, at 6:08 AM, Igor Sapego <isap...@apache.org> wrote: >>> >>> Guys, >>> >>> The SSL for the ODBC is pretty much ready and working, so >>> here is update on the current state I want to share with you. >>> And of course, I'd like to to hear your opinion on this one. >>> >>> First of all, I've checked some discussions about the ssl_mode >>> approaches in different ODBC drivers and it seems to me that >>> there is a big chance that simple ssl_enabled=[true|false] >>> approach is not going to be enough for our users. >>> >>> So I propose a compromise for now. The compromise is to use >>> ssl_mode=[require|disable] parameter right now, which is pretty >>> much as easy to understand as ssl_enabled=[true|false], but >>> leaves us a possibility to add other modes in future if we need >>> them. >>> >>> So the full set of SSL parameters now is the following: >>> ssl_mode=[require|disable] >>> ssl_key_file=<path_to_private_key> >>> ssl_cert_file=<path_to_client_certificate> >>> ssl_ca_file=<path_to_trusted_certificates> >>> >>> Thoughts? >>> >>> Best Regards, >>> Igor >>> >>> On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <dma...@apache.org> wrote: >>> >>>> This configuration approach looks clearer to me. +1 for it. >>>> >>>> — >>>> Denis >>>> >>>>> On Nov 20, 2017, at 12:42 AM, Igor Sapego <isap...@apache.org> wrote: >>>>> >>>>> Ok, then how about the following set of options: >>>>> >>>>> ssl_enabled=[true|false] >>>>> ssl_key_file=<path_to_secret_key> >>>>> ssl_cert_file=<path_to_certificate> >>>>> >>>>> >>>>> Best Regards, >>>>> Igor >>>>> >>>>> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <voze...@gridgain.com >>> >>>>> wrote: >>>>> >>>>>> I think it would be enough to have a single switch for now. >>>>>> >>>>>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <dma...@apache.org> >> wrote: >>>>>> >>>>>>> Igor, >>>>>>> >>>>>>> Thanks for the clarification. Please file a ticket if nobody else >>>> shares >>>>>> a >>>>>>> feedback soon. >>>>>>> >>>>>>> — >>>>>>> Denis >>>>>>> >>>>>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <isap...@apache.org> wrote: >>>>>>>> >>>>>>>> Hi Denis, >>>>>>>> >>>>>>>>> Could you explain the difference between “allow, prefer and >> require” >>>>>>>> modes? >>>>>>>> allow - Client will first try connecting without SSL, and then >>>> fallback >>>>>>> to >>>>>>>> SSL if it is not allowed to connect without SSL; >>>>>>>> prefer - Client will first try connecting using SSL, and then >> fallback >>>>>> to >>>>>>>> non-SSL if SSL is not supported by the server; >>>>>>>> disable - Client will only connect using SSL and return error if >>>> failed >>>>>>> to >>>>>>>> successfully do so. >>>>>>>> >>>>>>>>> BTW, do we really need to have the “disable” one? Guess that having >>>>>>>> ssl_mode set to “disable” will have the same effect as not setting >> the >>>>>>>> ssl_mode at all. >>>>>>>> This is the matter of the default value of the ssl_mode option. The >>>> way >>>>>>> you >>>>>>>> propose it means that you still has "disable" option, it is just is >>>> not >>>>>>>> explicit. >>>>>>>> >>>>>>>> Best Regards, >>>>>>>> Igor >>>>>>>> >>>>>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dma...@apache.org> >>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Igor, >>>>>>>>> >>>>>>>>> Could you explain the difference between “allow, prefer and >> require” >>>>>>> modes? >>>>>>>>> >>>>>>>>> BTW, do we really need to have the “disable” one? Guess that having >>>>>>>>> ssl_mode set to “disable” will have the same effect as not setting >>>> the >>>>>>>>> ssl_mode at all. >>>>>>>>> >>>>>>>>> — >>>>>>>>> Denis >>>>>>>>> >>>>>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isap...@apache.org> >> wrote: >>>>>>>>>> >>>>>>>>>> Hi, Igniters, >>>>>>>>>> >>>>>>>>>> I'm going to start working on the SSL support for the ODBC >>>>>>>>>> connection and I need to hear your opinion. >>>>>>>>>> >>>>>>>>>> For the client side I'm going to use OpenSSL library [1], which is >>>>>>>>>> standard de-facto for C/C++ applications. Unfortunately its >>>>>>>>>> licence is not fully compatible with Apache Licence, so its going >>>>>>>>>> to require from users to install OpenSSL themselves. >>>>>>>>>> >>>>>>>>>> For the driver I'm going to add following options to connection >>>>>>>>>> string: >>>>>>>>>> ssl_mode - Determines whether or with what priority a SSL >>>>>>>>>> connection will be negotiated with the server. Options >>>>>>>>>> here are disable, allow, prefer, require. >>>>>>>>>> ssl_key_file - Path to the location for the secret key used for >> the >>>>>>>>>> client certificate. >>>>>>>>>> ssl_cert_file - Path to the file of the client SSL certificate. >>>>>>>>>> >>>>>>>>>> If the ssl_mode is not set to "disable" then ODBC driver will >>>>>>>>>> attempt to find and load OpenSSL library before establishing >>>>>>>>>> connection. >>>>>>>>>> >>>>>>>>>> For the server side there is already SslContextFactory in the >>>>>>>>>> IgniteConfiguration, which is used by all components to determine >>>>>>>>>> if the SSL enabled and to figure out connection parameters, so >>>>>>>>>> I think it's a good idea to just re-use it for the >>>>>>>>> ClientListenerProcessorю >>>>>>>>>> >>>>>>>>>> What do you guys think? >>>>>>>>>> >>>>>>>>>> [1] - https://www.openssl.org >>>>>>>>>> >>>>>>>>>> Best Regards, >>>>>>>>>> Igor >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>> >>>> >> >>
