Hi Denis, > Could you explain the difference between “allow, prefer and require” modes? allow - Client will first try connecting without SSL, and then fallback to SSL if it is not allowed to connect without SSL; prefer - Client will first try connecting using SSL, and then fallback to non-SSL if SSL is not supported by the server; disable - Client will only connect using SSL and return error if failed to successfully do so.
> BTW, do we really need to have the “disable” one? Guess that having ssl_mode set to “disable” will have the same effect as not setting the ssl_mode at all. This is the matter of the default value of the ssl_mode option. The way you propose it means that you still has "disable" option, it is just is not explicit. Best Regards, Igor On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <[email protected]> wrote: > Hi Igor, > > Could you explain the difference between “allow, prefer and require” modes? > > BTW, do we really need to have the “disable” one? Guess that having > ssl_mode set to “disable” will have the same effect as not setting the > ssl_mode at all. > > — > Denis > > > On Nov 3, 2017, at 9:04 AM, Igor Sapego <[email protected]> wrote: > > > > Hi, Igniters, > > > > I'm going to start working on the SSL support for the ODBC > > connection and I need to hear your opinion. > > > > For the client side I'm going to use OpenSSL library [1], which is > > standard de-facto for C/C++ applications. Unfortunately its > > licence is not fully compatible with Apache Licence, so its going > > to require from users to install OpenSSL themselves. > > > > For the driver I'm going to add following options to connection > > string: > > ssl_mode - Determines whether or with what priority a SSL > > connection will be negotiated with the server. Options > > here are disable, allow, prefer, require. > > ssl_key_file - Path to the location for the secret key used for the > > client certificate. > > ssl_cert_file - Path to the file of the client SSL certificate. > > > > If the ssl_mode is not set to "disable" then ODBC driver will > > attempt to find and load OpenSSL library before establishing > > connection. > > > > For the server side there is already SslContextFactory in the > > IgniteConfiguration, which is used by all components to determine > > if the SSL enabled and to figure out connection parameters, so > > I think it's a good idea to just re-use it for the > ClientListenerProcessorю > > > > What do you guys think? > > > > [1] - https://www.openssl.org > > > > Best Regards, > > Igor > >
