Thanks Anthony. If this property is just used for components like server,locator etc then how this will effect client server mutual authentication.
Also what we are observing is that geode is only using signing authority of certificate as credential if both client and server trust same CA then connection is established. I don't think there is any auth happening here. We are just encrypting data and establishing trust between client and server. Please correct me if I am wrong. With best regards, Ashish On Thu, Mar 28, 2019, 1:49 AM Anthony Baker <[email protected]> wrote: > Comments below... > > On Mar 27, 2019, at 12:52 PM, aashish choudhary < > [email protected]> wrote: > > Thanks Udo, Sai. > > But as per documentation this property ssl-require-authentication is only > applicable to cluster members. > > *ssl-require-authentication*Requires two-way authentication, applies to > all components except web. Boolean - if true (the default), two-way > authentication is required > > > https://geode.apache.org/docs/guide/15/managing/security/implementing_ssl.html > > > > mTLS isn’t applied to the web component because that process is external > to geode (chrome, curl, etc). The other ssl components like server, > locator, cluster, jmx, gateway, etc all honor this setting. > > > And there is one more doubt regarding newly introduced ssl property. > ssl‑endpoint‑identification‑enabled causes clients to validate server > hostname using server certificate > > Is this applicable to both client and servers for hostname verification? > > > Yes, it should cause any SSL-enabled component to verify the SAN / CN. > > > > Thanks, > Ashish > > On Fri, Dec 21, 2018, 11:20 PM Udo Kohlmeyer <[email protected]> > wrote: > >> Ashish, >> >> As Sai has stated... >> >> In Geode: >> >> - ssl-require-authentication=false -> Client authenticate Server SSL >> key >> - ssl-require-authentication=true -> Client authenticate Server SSL >> key AND Server authenticate Client SSL key >> >> --Udo >> >> On 12/21/18 08:25, Sai Boorlagadda wrote: >> >> It is *mutual auth*. Both server and client validate either's key. >> I should have mentioned "in addition to...." >> >> Sai >> >> On Fri, Dec 21, 2018 at 7:54 AM aashish choudhary < >> [email protected]> wrote: >> >>> So it's not mutual authentication? Both the parties are not validating >>> each other only server is validating client's key if I my understanding is >>> correct. >>> >>> >>> With best regards, >>> Ashish >>> >>> On Fri, Dec 21, 2018, 1:29 AM Sai Boorlagadda <[email protected] >>> wrote: >>> >>>> Hello Aashish, >>>> >>>> When ssl-require-authentication is set allows servwrs to validate >>>> client's public key, which also requires you to include the CA in server's >>>> trust store using which client public key is signed. >>>> >>>> Sai >>>> >>>> On Thu, Dec 20, 2018, 10:43 AM aashish choudhary < >>>> [email protected] wrote: >>>> >>>>> We wanted to implement two way ssl with geode and needed some >>>>> understanding on ssl property ssl-require-authentication. As per docs >>>>> *ssl-require-authentication* Requires two-way authentication, applies >>>>> to all components except web. Boolean - if true (the default), two-way >>>>> authentication is required. >>>>> So if we set this as true it will only verify the trust chain or some >>>>> public key stuff for both client and server will get verified in this >>>>> authentication. >>>>> >>>>> >>>>> Thanks, >>>>> Ashish >>>>> >>>> >> >> >
