Good point. It's because generating a certificate automatically is not safe, right? If so, I think there is no need to add this feature since the motivation is to make the code more intuitive.
Thanks, Yunze > 2022年3月22日 上午12:40,Enrico Olivelli <eolive...@gmail.com> 写道: > > Il giorno lun 21 mar 2022 alle ore 16:31 Yunze Xu > <y...@streamnative.io.invalid> ha scritto: >> >> Hi all, >> >> Recently I found a document error when configuring Pulsar client for TLS >> encryption. See https://github.com/apache/pulsar/issues/14762. However, the >> code >> example in the official documents is more intuitive. >> >> See https://pulsar.apache.org/docs/en/security-tls-transport/#java-client, >> the >> example code doesn't configure `AuthenticationTls`, but it is required once >> TLS >> encryption is enabled, even if TLS authentication is not enabled. Because the >> client side can only send a SSL handshake via `AuthenticationTls`. It would >> be >> confused. >> >> Since the cert file and the key file are generated using a CA, whose path is >> specified by `tlsTrustCertsFilePath` method, I think it would be possible to >> generate a cert and a key file automatically. We only need to specify a >> common >> name, which represents the role when authentication is enabled. > > Usually a service cannot generate a "valid" certificate automatically, > it MUST be signed by a CA. > > We may add an option to automatically generate a certificate (and a > CA) but that will work only for > DEV environments. > > Enrico > > >> >> My initial design is, when client configures the `tlsTrustCertsFilePath`: >> - If no authentication plugin is enabled, generate the cert and key files >> automatically using a default common name. >> - Otherwise, use the cert and key files specified in `AuthenticationTls`. >> >> The benefit is, when you want to pass the TLS authentication, you must >> configure >> `AuthenticationTls` at client side, while you only needs to configure >> `tlsTrustCertsFilePath` if broker side only enables TLS encryption. >> >> What do you think? Is there a better solution? >> >> Thanks, >> Yunze >> >> >> >>
