[
https://issues.apache.org/jira/browse/DERBY-2356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12474990
]
John H. Embretsen commented on DERBY-2356:
------------------------------------------
A few comments after my first take at trying out the (v1) patch:
(I have only tried ssl=basic so far...)
1) No server commands (e.g. shutdown, ping, runtimeinfo) worked after the
server was started with SSL on (basic) . The message I'm getting is:
Invalid reply header from network server: Invalid string .
2) Using -Dderby.drda.sslMode=basic (and ssl=basic in the client URL) seemed to
work fine, although I did not actually inspect the network traffic to verify
encryption.
3) Using ssl=basic as an option to the NetworkServerControl start command did
not work:
Command line: java <properties> -jar derbyrun.jar server start ssl=basic
Result: Invalid number of arguments for command start.
Command line: java <properties> -jar derbyrun.jar server start -ssl=basic
Result: Argument -ssl=basic is unknown.
I tried both with and without the -unsecure option/plain-text authentication.
4) The funcSpec says:
SSL at the server side is activated with the property
derby.drda.sslMode (default off) or the -ssl option for the server
command.
By "the server command", do you mean the start command of the server? This
should perhaps be clarified in the funcSpec?
5) The funcSpec also says:
The property may have three values: "off", "basic" and
"peerAuthentication"
However, the example in section 2.3 is using ssl=authenticate. Also,
comments in the patch seem to indicate that "false", "true" and "auth" are also
valid property values. What is (or should be) the correct set of valid values?
6) I verified that connection attempts against a server started with SSL off,
but with ssl=basic in the client URL, resulted in an informative error message
on the client side.
> Make SSL server authentication optional
> ---------------------------------------
>
> Key: DERBY-2356
> URL: https://issues.apache.org/jira/browse/DERBY-2356
> Project: Derby
> Issue Type: Improvement
> Components: Network Client, Network Server
> Affects Versions: 10.3.0.0
> Reporter: Bernt M. Johnsen
> Assigned To: Bernt M. Johnsen
> Fix For: 10.3.0.0
>
> Attachments: derby-2356-v1.diff, derby-2356-v1.stat, SSLFuncSpect.txt
>
>
> Default SSL behaviour is to require serer authentication. For a database
> application this is not as important as it is for web browsers and also
> creates som extra hassle for the user/application programmer. Since the main
> objective for SSL in Derby is encryption on the wire, server authentication
> should be optional (the same way client authentication is).
> This also creates some symmetry which can be exploited to simplify the user
> interfce somewhat. This improvement to DERBY-2108 is described in the
> attached functional specification. See the attachment for details.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
