@jdeppe-pivotal @upthewaterspout @pivotal-jbarrett @bschuchardt
Could I request a re-review of this PR?
GEODE-5594 is merged to develop and introduced an improvement to enable geode
clients to validate hostnames to address the security concerns about trusting
the default trust store. With this flag users wanted to use default context or
custom security provider can enable hostname validation. Also, using default
context is not the default behavior as it would break backward compatibility.
So with this new flag `ssl-use-default-context`, users have a choice:
1) Decide whether you want SSL? Enable using 'ssl-enabled-components'
2) Great. Do you want to use
2.a) default ssl context? use ssl-use-default-context or
2.b) configure ssl context with specific trust and key store types,
locations, passwords (by providing ssl-key* and ssl-trust*)
3) In any case (2.a or 2.b) you have an option to restrict SSL protocols and
ciphers (using ssl-protocols, ssl-ciphers)
4) In any case (2.a or 2.b) you have an option to enable mutual auth (using
ssl-require-auth)
Hostname validation is enabled by default and a warning is logged when user is
not using default context and he/she can disable it setting to
`ssl-endpoint-identification=false`
[ Full content available at: https://github.com/apache/geode/pull/2244 ]
This message was relayed via gitbox.apache.org for [email protected]
