Yeah, I think we'd definitely like to have a TSSLSocket implementations in as many languages as possible. It's obviously a lot more involved in some than others, especially getting server-side support right, and in C++ dealing with things like linking in the openssl libs and whatnot.
There are some other questions around what sort of APIs to support in terms of using custom certificates/validation, but for a basic PHP client this should be very easy for someone to whip up in less than a day. There's clearly been a lot of interest in these, based upon past threads on the dev/user lists. HTTPS/stunnel are workable solutions, but I'm sure if these Transport classes existed, lots of people would start using them. Cheers, mcslee -----Original Message----- From: Michael Lawson (mshindo) [mailto:mich...@sphinix.com] Sent: Sunday, April 18, 2010 2:15 AM To: thrift-dev@incubator.apache.org Subject: Re: SSL ssl is the more preferred method, because we also want to use the thrift api for a command line interface, which will be in c++. There are pretty simple ssl api's for php, I dont think it would be much trouble to smash out a Transport client. On Sun, Apr 18, 2010 at 8:24 PM, Fred Potter <fpot...@gmail.com> wrote: > Hi Michael, > > Are you still using http for the transport? If so, I'm sure the http > transport available for most the language libraries will work over > https by just changing the URL. I don't know about your needs, but > for me, thrift over http is about as good as thrift over plain sockets > (assuming keep-alive is working so that each request isn't made on its > own tcp connection). > > I doubt there are plans to introduce SSL socket clients for each > library. Remember, Thrift was originally built for communication > across an intranet and not really for publicly exposed services. > > I wonder if you couldn't rig something up with stunnel to satisfy your > needs without having to modify any of the thrift clients? > > Maybe something that looks like: > (php page) <--> (thrift socket client) <--> (stunnel instance on same > machine) <--> (... untrusted network ...) <--> (cpp daemon w/ ssl > patch) > > Fred > > On Sun, Apr 18, 2010 at 12:41 AM, Michael Lawson (mshindo) > <mich...@sphinix.com> wrote: > > Hi All, > > I am using thrift on a couple of projects, and have struck the need to > > encrypt communications on one of them. Before moving to thrift management > of > > this particular application was performed via a built in https server, > > however this was not ideal for several obvious reasons. So we have moved > to > > php for management and use thrift to communicate with the c++ daemon. > > > > Some of this information being sent is sensitive, and we need to be able > to > > validate a remote peer. I have looked through Jira and seen that a C++ > ssl > > patch was written, but am wondering if there is any plans with regards to > > making this mainstream along with developing ssl clients in other > languages? > > > > This requirement is relatively important to my product, so if it helps > speed > > up this process, I am more than happy to lend development time to this > > fantastic project. > > > > Regards, > > > > -- > > Michael Lawson > > > -- Michael Lawson (mshindo)
