Comments below... > On Mar 27, 2019, at 12:52 PM, aashish choudhary > <[email protected]> wrote: > > Thanks Udo, Sai. > > But as per documentation this property ssl-require-authentication is only > applicable to cluster members. > > ssl-require-authentication > Requires two-way authentication, applies to all components except web. > Boolean - if true (the default), two-way authentication is required > > https://geode.apache.org/docs/guide/15/managing/security/implementing_ssl.html > > <https://geode.apache.org/docs/guide/15/managing/security/implementing_ssl.html> >
mTLS isn’t applied to the web component because that process is external to geode (chrome, curl, etc). The other ssl components like server, locator, cluster, jmx, gateway, etc all honor this setting. > > And there is one more doubt regarding newly introduced ssl property. > ssl‑endpoint‑identification‑enabled causes clients to validate server > hostname using server certificate > > Is this applicable to both client and servers for hostname verification? Yes, it should cause any SSL-enabled component to verify the SAN / CN. > > > Thanks, > Ashish > > On Fri, Dec 21, 2018, 11:20 PM Udo Kohlmeyer <[email protected] > <mailto:[email protected]>> wrote: > Ashish, > > As Sai has stated... > > In Geode: > > ssl-require-authentication=false -> Client authenticate Server SSL key > ssl-require-authentication=true -> Client authenticate Server SSL key AND > Server authenticate Client SSL key > --Udo > > > On 12/21/18 08:25, Sai Boorlagadda wrote: >> It is *mutual auth*. Both server and client validate either's key. >> I should have mentioned "in addition to...." >> >> Sai >> >> On Fri, Dec 21, 2018 at 7:54 AM aashish choudhary >> <[email protected] <mailto:[email protected]>> wrote: >> So it's not mutual authentication? Both the parties are not validating each >> other only server is validating client's key if I my understanding is >> correct. >> >> >> With best regards, >> Ashish >> >> On Fri, Dec 21, 2018, 1:29 AM Sai Boorlagadda <[email protected] >> <mailto:[email protected]> wrote: >> Hello Aashish, >> >> When ssl-require-authentication is set allows servwrs to validate client's >> public key, which also requires you to include the CA in server's trust >> store using which client public key is signed. >> >> Sai >> >> On Thu, Dec 20, 2018, 10:43 AM aashish choudhary >> <[email protected] <mailto:[email protected]> wrote: >> We wanted to implement two way ssl with geode and needed some understanding >> on ssl property ssl-require-authentication. As per docs >> ssl-require-authentication >> Requires two-way authentication, applies to all components except web. >> Boolean - if true (the default), two-way authentication is required. >> >> So if we set this as true it will only verify the trust chain or some public >> key stuff for both client and server will get verified in this >> authentication. >> >> >> Thanks, >> Ashish > >
