This configuration approach looks clearer to me. +1 for it. — Denis
> On Nov 20, 2017, at 12:42 AM, Igor Sapego <isap...@apache.org> wrote: > > Ok, then how about the following set of options: > > ssl_enabled=[true|false] > ssl_key_file=<path_to_secret_key> > ssl_cert_file=<path_to_certificate> > > > Best Regards, > Igor > > On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <voze...@gridgain.com> > wrote: > >> I think it would be enough to have a single switch for now. >> >> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <dma...@apache.org> wrote: >> >>> Igor, >>> >>> Thanks for the clarification. Please file a ticket if nobody else shares >> a >>> feedback soon. >>> >>> — >>> Denis >>> >>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <isap...@apache.org> wrote: >>>> >>>> Hi Denis, >>>> >>>>> Could you explain the difference between “allow, prefer and require” >>>> modes? >>>> allow - Client will first try connecting without SSL, and then fallback >>> to >>>> SSL if it is not allowed to connect without SSL; >>>> prefer - Client will first try connecting using SSL, and then fallback >> to >>>> non-SSL if SSL is not supported by the server; >>>> disable - Client will only connect using SSL and return error if failed >>> to >>>> successfully do so. >>>> >>>>> BTW, do we really need to have the “disable” one? Guess that having >>>> ssl_mode set to “disable” will have the same effect as not setting the >>>> ssl_mode at all. >>>> This is the matter of the default value of the ssl_mode option. The way >>> you >>>> propose it means that you still has "disable" option, it is just is not >>>> explicit. >>>> >>>> Best Regards, >>>> Igor >>>> >>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <dma...@apache.org> >> wrote: >>>> >>>>> Hi Igor, >>>>> >>>>> Could you explain the difference between “allow, prefer and require” >>> modes? >>>>> >>>>> BTW, do we really need to have the “disable” one? Guess that having >>>>> ssl_mode set to “disable” will have the same effect as not setting the >>>>> ssl_mode at all. >>>>> >>>>> — >>>>> Denis >>>>> >>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <isap...@apache.org> wrote: >>>>>> >>>>>> Hi, Igniters, >>>>>> >>>>>> I'm going to start working on the SSL support for the ODBC >>>>>> connection and I need to hear your opinion. >>>>>> >>>>>> For the client side I'm going to use OpenSSL library [1], which is >>>>>> standard de-facto for C/C++ applications. Unfortunately its >>>>>> licence is not fully compatible with Apache Licence, so its going >>>>>> to require from users to install OpenSSL themselves. >>>>>> >>>>>> For the driver I'm going to add following options to connection >>>>>> string: >>>>>> ssl_mode - Determines whether or with what priority a SSL >>>>>> connection will be negotiated with the server. Options >>>>>> here are disable, allow, prefer, require. >>>>>> ssl_key_file - Path to the location for the secret key used for the >>>>>> client certificate. >>>>>> ssl_cert_file - Path to the file of the client SSL certificate. >>>>>> >>>>>> If the ssl_mode is not set to "disable" then ODBC driver will >>>>>> attempt to find and load OpenSSL library before establishing >>>>>> connection. >>>>>> >>>>>> For the server side there is already SslContextFactory in the >>>>>> IgniteConfiguration, which is used by all components to determine >>>>>> if the SSL enabled and to figure out connection parameters, so >>>>>> I think it's a good idea to just re-use it for the >>>>> ClientListenerProcessorю >>>>>> >>>>>> What do you guys think? >>>>>> >>>>>> [1] - https://www.openssl.org >>>>>> >>>>>> Best Regards, >>>>>> Igor >>>>> >>>>> >>> >>> >>
