how does ssl-default-alias interact with this one in the spec: ssl-certificate-alias=[empty,string] (default - use first cert in keystore) I thought ssl-certificate-alias was the one to use by default. It could be overridden by a component one. And the default for it is to use the first certificate in the keystore. Are you suggesting that the default is only the first cert when the keystore only has one?
I think having both ssl-default-alias and ssl-certificate-alias would be confusing (I'm currently confused by it). I also don't understand the failure scenario you describe. Here is an example of what I hear you saying: if the keystore how more than one cert and you do not configure a default but you do configure a specific cert alias for each component then fail. If all the certs they configure are in the key store then what is the reason for failure? Is some other component is using the default one and the default is either undefined or non-existent then I would vote for failure. On Wed, Aug 10, 2016 at 4:59 PM, Kirk Lund <kl...@pivotal.io> wrote: > +1 to introduce "ssl-default-alias" and fail if it's not set for multi-key > keystore > > > On Wed, Aug 10, 2016 at 4:34 PM, Bruce Schuchardt <bschucha...@pivotal.io> > wrote: > > > +1 for ssl-default-alias and failing > > > > > > Le 8/10/2016 à 3:36 PM, Udo Kohlmeyer a écrit : > > > >> Hi there guys, > >> > >> As per the proposal for the revision of the SSL configuration < > >> https://cwiki.apache.org/confluence/display/GEODE/ > Revised+SSL+properties>, > >> I'm nearing the completion of this feature. > >> > >> What I have come across is some scenarios where a system is configured > >> with a multi-key keystore and all Geode components are marked to use > SSL. > >> As the ssl configuration factory would not know what key to use, it > might > >> fail to correctly configure SSL comms. > >> > >> In this scenario, would it make sense to introduce another property > >> "ssl-default-alias" which specifies the default certificate alias to be > >> used in a multi-key keystore? > >> > >> Also, in the scenario where a single component specifies a different > >> alias to be used, should we fail if the "ssl-default-alias" has not been > >> set for a multi-key keystore? > >> > >> Any advice or opinions would be appreciated. > >> > >> --Udo > >> > >> > >> > > >
