[jira] [Commented] (IGNITE-6167) Ability to set custom SSLServerSocketFactory and SSLSocketFactory or enabled TLS protocols and cipher suites
[ https://issues.apache.org/jira/browse/IGNITE-6167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16565318#comment-16565318 ] Mikhail Cherkasov commented on IGNITE-6167: --- [~vozerov] could you please review my changes? > Ability to set custom SSLServerSocketFactory and SSLSocketFactory or enabled > TLS protocols and cipher suites > > > Key: IGNITE-6167 > URL: https://issues.apache.org/jira/browse/IGNITE-6167 > Project: Ignite > Issue Type: Wish > Components: security >Affects Versions: 2.1 >Reporter: Jens Borgland >Assignee: Mikhail Cherkasov >Priority: Major > > It would be very useful to be able to, in addition to the > {{javax.net.ssl.SSLContext}}, either specify a custom > {{javax.net.ssl.SSLServerSocketFactory}} and a custom > {{javax.net.ssl.SSLSocketFactory}}, or to be able to at least specify the > enabled TLS protocols and cipher suites. > I have noticed that the > {{org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter}} has support for > the latter but I cannot find a way of getting a reference to the filter > instance. The {{GridNioSslFilter}} also isn't used by {{TcpDiscoverySpi}} as > far as I can tell. > Currently (as far as I can tell) there is no way of specifying the enabled > cipher suites and protocols used by Ignite, without doing it globally for the > JRE. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (IGNITE-6167) Ability to set custom SSLServerSocketFactory and SSLSocketFactory or enabled TLS protocols and cipher suites
[ https://issues.apache.org/jira/browse/IGNITE-6167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16140537#comment-16140537 ] Jens Borgland commented on IGNITE-6167: --- Thank you [~ilyak]! I did at some point explore this option but I didn't think of delegating to the SSLContext from my SSLContextSpi implementation (and I couldn't find a way of getting hold of a SSLContextSpi instance). I've now done just the thing you suggested and through that also worked around IGNITE-6168. > Ability to set custom SSLServerSocketFactory and SSLSocketFactory or enabled > TLS protocols and cipher suites > > > Key: IGNITE-6167 > URL: https://issues.apache.org/jira/browse/IGNITE-6167 > Project: Ignite > Issue Type: Wish >Affects Versions: 2.1 >Reporter: Jens Borgland > > It would be very useful to be able to, in addition to the > {{javax.net.ssl.SSLContext}}, either specify a custom > {{javax.net.ssl.SSLServerSocketFactory}} and a custom > {{javax.net.ssl.SSLSocketFactory}}, or to be able to at least specify the > enabled TLS protocols and cipher suites. > I have noticed that the > {{org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter}} has support for > the latter but I cannot find a way of getting a reference to the filter > instance. The {{GridNioSslFilter}} also isn't used by {{TcpDiscoverySpi}} as > far as I can tell. > Currently (as far as I can tell) there is no way of specifying the enabled > cipher suites and protocols used by Ignite, without doing it globally for the > JRE. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (IGNITE-6167) Ability to set custom SSLServerSocketFactory and SSLSocketFactory or enabled TLS protocols and cipher suites
[ https://issues.apache.org/jira/browse/IGNITE-6167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16139794#comment-16139794 ] Ilya Kasnacheev commented on IGNITE-6167: - [~jens.borgland] You can subclass SSLContext and call protected SSLContext(SSLContextSpi contextSpi, Provider provider, String protocol) constructor with crafted contextSpi which will return engineGetServerSocketFactory() with specified TLS protocols and cipher suites. Maybe there's some caveat but I don't immediately see it. That sure as day requires some dedicated effort. > Ability to set custom SSLServerSocketFactory and SSLSocketFactory or enabled > TLS protocols and cipher suites > > > Key: IGNITE-6167 > URL: https://issues.apache.org/jira/browse/IGNITE-6167 > Project: Ignite > Issue Type: Wish >Affects Versions: 2.1 >Reporter: Jens Borgland > > It would be very useful to be able to, in addition to the > {{javax.net.ssl.SSLContext}}, either specify a custom > {{javax.net.ssl.SSLServerSocketFactory}} and a custom > {{javax.net.ssl.SSLSocketFactory}}, or to be able to at least specify the > enabled TLS protocols and cipher suites. > I have noticed that the > {{org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter}} has support for > the latter but I cannot find a way of getting a reference to the filter > instance. The {{GridNioSslFilter}} also isn't used by {{TcpDiscoverySpi}} as > far as I can tell. > Currently (as far as I can tell) there is no way of specifying the enabled > cipher suites and protocols used by Ignite, without doing it globally for the > JRE. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (IGNITE-6167) Ability to set custom SSLServerSocketFactory and SSLSocketFactory or enabled TLS protocols and cipher suites
[ https://issues.apache.org/jira/browse/IGNITE-6167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16138274#comment-16138274 ] Jens Borgland commented on IGNITE-6167: --- [~ilyak], perhaps it's me who's missing something obvious but I cannot really find a reasonable way of subclassing SSLContext - and getSocketFactory() and getServerSocketFactory() are both final. I have however created my own SslContextFactory (in order to set up revocation checking the way I need) and that part works fine. > Ability to set custom SSLServerSocketFactory and SSLSocketFactory or enabled > TLS protocols and cipher suites > > > Key: IGNITE-6167 > URL: https://issues.apache.org/jira/browse/IGNITE-6167 > Project: Ignite > Issue Type: Wish >Affects Versions: 2.1 >Reporter: Jens Borgland > > It would be very useful to be able to, in addition to the > {{javax.net.ssl.SSLContext}}, either specify a custom > {{javax.net.ssl.SSLServerSocketFactory}} and a custom > {{javax.net.ssl.SSLSocketFactory}}, or to be able to at least specify the > enabled TLS protocols and cipher suites. > I have noticed that the > {{org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter}} has support for > the latter but I cannot find a way of getting a reference to the filter > instance. The {{GridNioSslFilter}} also isn't used by {{TcpDiscoverySpi}} as > far as I can tell. > Currently (as far as I can tell) there is no way of specifying the enabled > cipher suites and protocols used by Ignite, without doing it globally for the > JRE. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (IGNITE-6167) Ability to set custom SSLServerSocketFactory and SSLSocketFactory or enabled TLS protocols and cipher suites
[ https://issues.apache.org/jira/browse/IGNITE-6167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16138259#comment-16138259 ] Ilya Kasnacheev commented on IGNITE-6167: - [~jens.borgland] You can create your own subclass of SslContextFactory, overriding create(), which will return your own SSLContext, overriding getSocketFactory() and getServerSocketFactory() and returning custom socket factories. Anything obvious I am missing? Seems doable. Of course the usability of that solution is suboptimal. > Ability to set custom SSLServerSocketFactory and SSLSocketFactory or enabled > TLS protocols and cipher suites > > > Key: IGNITE-6167 > URL: https://issues.apache.org/jira/browse/IGNITE-6167 > Project: Ignite > Issue Type: Wish >Affects Versions: 2.1 >Reporter: Jens Borgland > > It would be very useful to be able to, in addition to the > {{javax.net.ssl.SSLContext}}, either specify a custom > {{javax.net.ssl.SSLServerSocketFactory}} and a custom > {{javax.net.ssl.SSLSocketFactory}}, or to be able to at least specify the > enabled TLS protocols and cipher suites. > I have noticed that the > {{org.apache.ignite.internal.util.nio.ssl.GridNioSslFilter}} has support for > the latter but I cannot find a way of getting a reference to the filter > instance. The {{GridNioSslFilter}} also isn't used by {{TcpDiscoverySpi}} as > far as I can tell. > Currently (as far as I can tell) there is no way of specifying the enabled > cipher suites and protocols used by Ignite, without doing it globally for the > JRE. -- This message was sent by Atlassian JIRA (v6.4.14#64029)