ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ilya Kasnacheev <ilya.kasnach...@gmail.com>
Subject Configure list and order of SSL cipher suites
Date Thu, 03 May 2018 14:54:01 GMT
A follow up on https://issues.apache.org/jira/browse/IGNITE-6167

Some users want to specify a list of ciphers to use in their controlled
environment, limiting to a select few ciphers with ordering.

I have tried to implement the work-around it myself, and found that amount
of code and copy-paste to be seriously non-trivial.

I have found a following library:
https://github.com/soulwing/ssl-context-tools - It allows specifying a list
of ciphers, but unfortunately it doesn't work with Ignite since it can't
create unbound sockets :) Its customization options are also limited.

Having said that, I propose the following change to API:
Let's have IgniteConfiguration.setSslParameters(SSLParameters parameters)
Yeah, let's just use this class everywhere:
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html
It already contains a decent number of configurable parameters. I will
check it, but it should be Spring-initializable by the looks.

This means we have
IgniteConfiguration.setSslContextFactory(Factory<SSLContext>) and
IgniteConfiguration.setSslParameters(SSLParameters) with full forward
compatibility.

NB: We will also set "need client auth" for node-node communication and
discovery, but it will be configurable for other clients, REST, etc. I
think it would make sense to have separate SSL parameters for client
connectors, however I'm not sure so I'll try to minimize impact for now.

WDYT? I'll create an IEP if this looks good to you, fellow igniters.


-- 
Ilya Kasnacheev

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message