Hello Aashish, First I want to re-phrase this sentence "causes clients to validate server hostname using server certificate" as "causes *TCP* *clients* to validate *TCP* *server* hostname using server certificate". When I say TCP Clients - it means the client of a TCP connection.
For example, a TCP Client can be - An APP (using GEODE client APIs) initiating a connection to a GEODE server. - A Cache Server initialing a connection to another Cache Server or Locator. Where as the paramenter "ssl-require-authentication" is generally applicable on cluster nodes. Because setting this parameter lets TCP Servers (for app initiated connections) to also validate TCP client certificate (application certificate). So to achieve mutual authentication one has to enable this parameter on the cluster nodes, so that any node with in the cluster can validate application's KEY. In my opinion hostname validation is only applicable for TCP clients when validating a TCP server's certificate during SSL hand-shake. Also what we are observing is that geode is only using signing authority of > certificate as credential if both client and server trust same CA then > connection is established. I don't think there is any auth happening here. > We are just encrypting data and establishing trust between client and > server. When a KEY is validation the validation has to validate the full chain till the root CA. So if you have used a single CA to sign both client and server certificate then this CA has to be trusted in-order for the KEY has to be validated. Are you saying using two different CAs did not work? Sai On Wed, Mar 27, 2019 at 7:00 PM aashish choudhary < [email protected]> wrote: > Thanks Anthony. If this property is just used for components like > server,locator etc then how this will effect client server mutual > authentication. > > Also what we are observing is that geode is only using signing authority > of certificate as credential if both client and server trust same CA then > connection is established. I don't think there is any auth happening here. > We are just encrypting data and establishing trust between client and > server. > > Please correct me if I am wrong. > > With best regards, > Ashish > > On Thu, Mar 28, 2019, 1:49 AM Anthony Baker <[email protected]> wrote: > >> Comments below... >> >> On Mar 27, 2019, at 12:52 PM, aashish choudhary < >> [email protected]> wrote: >> >> Thanks Udo, Sai. >> >> But as per documentation this property ssl-require-authentication is >> only applicable to cluster members. >> >> *ssl-require-authentication*Requires two-way authentication, applies to >> all components except web. Boolean - if true (the default), two-way >> authentication is required >> >> >> https://geode.apache.org/docs/guide/15/managing/security/implementing_ssl.html >> >> >> >> mTLS isn’t applied to the web component because that process is external >> to geode (chrome, curl, etc). The other ssl components like server, >> locator, cluster, jmx, gateway, etc all honor this setting. >> >> >> And there is one more doubt regarding newly introduced ssl property. >> ssl‑endpoint‑identification‑enabled causes clients to validate server >> hostname using server certificate >> >> Is this applicable to both client and servers for hostname verification? >> >> >> Yes, it should cause any SSL-enabled component to verify the SAN / CN. >> >> >> >> Thanks, >> Ashish >> >> On Fri, Dec 21, 2018, 11:20 PM Udo Kohlmeyer <[email protected]> >> wrote: >> >>> Ashish, >>> >>> As Sai has stated... >>> >>> In Geode: >>> >>> - ssl-require-authentication=false -> Client authenticate Server SSL >>> key >>> - ssl-require-authentication=true -> Client authenticate Server SSL >>> key AND Server authenticate Client SSL key >>> >>> --Udo >>> >>> On 12/21/18 08:25, Sai Boorlagadda wrote: >>> >>> It is *mutual auth*. Both server and client validate either's key. >>> I should have mentioned "in addition to...." >>> >>> Sai >>> >>> On Fri, Dec 21, 2018 at 7:54 AM aashish choudhary < >>> [email protected]> wrote: >>> >>>> So it's not mutual authentication? Both the parties are not validating >>>> each other only server is validating client's key if I my understanding is >>>> correct. >>>> >>>> >>>> With best regards, >>>> Ashish >>>> >>>> On Fri, Dec 21, 2018, 1:29 AM Sai Boorlagadda < >>>> [email protected] wrote: >>>> >>>>> Hello Aashish, >>>>> >>>>> When ssl-require-authentication is set allows servwrs to validate >>>>> client's public key, which also requires you to include the CA in server's >>>>> trust store using which client public key is signed. >>>>> >>>>> Sai >>>>> >>>>> On Thu, Dec 20, 2018, 10:43 AM aashish choudhary < >>>>> [email protected] wrote: >>>>> >>>>>> We wanted to implement two way ssl with geode and needed some >>>>>> understanding on ssl property ssl-require-authentication. As per docs >>>>>> *ssl-require-authentication* Requires two-way authentication, >>>>>> applies to all components except web. Boolean - if true (the default), >>>>>> two-way authentication is required. >>>>>> So if we set this as true it will only verify the trust chain or some >>>>>> public key stuff for both client and server will get verified in this >>>>>> authentication. >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Ashish >>>>>> >>>>> >>> >>> >>
