ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Magda <dma...@apache.org>
Subject Re: Configure list and order of SSL cipher suites
Date Fri, 04 May 2018 03:35:42 GMT
Ilya,

Thanks for picking up this belated task. The solution you found seems ideal
to me. I would go for it.

BTW, not sure we need an IEP for this improvement.

--
Denis

On Thu, May 3, 2018 at 7:54 AM, Ilya Kasnacheev <ilya.kasnacheev@gmail.com>
wrote:

> A follow up on https://issues.apache.org/jira/browse/IGNITE-6167
>
> Some users want to specify a list of ciphers to use in their controlled
> environment, limiting to a select few ciphers with ordering.
>
> I have tried to implement the work-around it myself, and found that amount
> of code and copy-paste to be seriously non-trivial.
>
> I have found a following library:
> https://github.com/soulwing/ssl-context-tools - It allows specifying a
> list
> of ciphers, but unfortunately it doesn't work with Ignite since it can't
> create unbound sockets :) Its customization options are also limited.
>
> Having said that, I propose the following change to API:
> Let's have IgniteConfiguration.setSslParameters(SSLParameters parameters)
> Yeah, let's just use this class everywhere:
> https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html
> It already contains a decent number of configurable parameters. I will
> check it, but it should be Spring-initializable by the looks.
>
> This means we have
> IgniteConfiguration.setSslContextFactory(Factory<SSLContext>) and
> IgniteConfiguration.setSslParameters(SSLParameters) with full forward
> compatibility.
>
> NB: We will also set "need client auth" for node-node communication and
> discovery, but it will be configurable for other clients, REST, etc. I
> think it would make sense to have separate SSL parameters for client
> connectors, however I'm not sure so I'll try to minimize impact for now.
>
> WDYT? I'll create an IEP if this looks good to you, fellow igniters.
>
>
> --
> Ilya Kasnacheev
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message