> On Nov. 18, 2016, 2:48 p.m., Alan Conway wrote: > > Do we need the explicit sni setting? i.e. are there use cases where you > > really need to set SSL SNI = X and AMQP/SASL host = Y where X != Y? If > > there are then ship it. If not then I'd prefer to drop the ssl_sni option > > and make virtual_host the One True Fake Hostname for all security purposes. > > This story is confusing enough already.
To justify: I think embedding SSL in proton was a mistake from the get go, in future it should be handled externally, using the user's choice of tools, configured as normal for those tools. Proton should make it easy to integrate by providing access to relevant *AMQP* settings (virtual_host, SASL user/pass etc.) but *not* by exporting random config settings from a randomly-chosen SSL tool (openssl) as part of proton's top-level API. Openssl config is not suitable for windows SSL, the Go TLS stack, native python/ruby SSL etc. I know SNI is common to all SSL stacks, but SSL is not the only encryption layer in the world. I want to get proton back to doing just AMQP and provide extension points to integrate whatever protocol layers the user wants. It's not realistic now so if we need this feature short term go ahead. However someday I will cut the Gordian Knot so I'd like to avoid expanding the amount of pesky non-AMQP config I will have to untangle from the top-level API. - Alan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/53876/#review156298 ----------------------------------------------------------- On Nov. 18, 2016, 1:58 p.m., Gordon Sim wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/53876/ > ----------------------------------------------------------- > > (Updated Nov. 18, 2016, 1:58 p.m.) > > > Review request for qpid, Alan Conway, Justin Ross, Kenneth Giusti, and Robbie > Gemmell. > > > Repository: qpid-proton-git > > > Description > ------- > > Ulf's fix for https://issues.apache.org/jira/browse/PROTON-1355 allows you to > control the sni via the existing virtual host option. For cases where you > want the sni to be different from the hostname in the open frame, this patch > adds an explicit option. > > > Diffs > ----- > > proton-c/bindings/python/proton/reactor.py 3562aa9 > > Diff: https://reviews.apache.org/r/53876/diff/ > > > Testing > ------- > > > Thanks, > > Gordon Sim > >
