Apache Ignite Developers - Legacy Mail Archive

Configure list and order of SSL cipher suites

Classic

List

Threaded

2 messages Options

Ilya Kasnacheev

Configure list and order of SSL cipher suites

A follow up on https://issues.apache.org/jira/browse/IGNITE-6167

Some users want to specify a list of ciphers to use in their controlled
environment, limiting to a select few ciphers with ordering.

I have tried to implement the work-around it myself, and found that amount
of code and copy-paste to be seriously non-trivial.

I have found a following library:
https://github.com/soulwing/ssl-context-tools - It allows specifying a list
of ciphers, but unfortunately it doesn't work with Ignite since it can't
create unbound sockets :) Its customization options are also limited.

Having said that, I propose the following change to API:
Let's have IgniteConfiguration.setSslParameters(SSLParameters parameters)
Yeah, let's just use this class everywhere:
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html
It already contains a decent number of configurable parameters. I will
check it, but it should be Spring-initializable by the looks.

This means we have
IgniteConfiguration.setSslContextFactory(Factory<SSLContext>) and
IgniteConfiguration.setSslParameters(SSLParameters) with full forward
compatibility.

NB: We will also set "need client auth" for node-node communication and
discovery, but it will be configurable for other clients, REST, etc. I
think it would make sense to have separate SSL parameters for client
connectors, however I'm not sure so I'll try to minimize impact for now.

WDYT? I'll create an IEP if this looks good to you, fellow igniters.

--
Ilya Kasnacheev

dmagda

Re: Configure list and order of SSL cipher suites

Ilya,

Thanks for picking up this belated task. The solution you found seems ideal
to me. I would go for it.

BTW, not sure we need an IEP for this improvement.

--
Denis

On Thu, May 3, 2018 at 7:54 AM, Ilya Kasnacheev <[hidden email]>
wrote:

> A follow up on https://issues.apache.org/jira/browse/IGNITE-6167
>
> Some users want to specify a list of ciphers to use in their controlled
> environment, limiting to a select few ciphers with ordering.
>
> I have tried to implement the work-around it myself, and found that amount
> of code and copy-paste to be seriously non-trivial.
>
> I have found a following library:
> https://github.com/soulwing/ssl-context-tools - It allows specifying a
> list
> of ciphers, but unfortunately it doesn't work with Ignite since it can't
> create unbound sockets :) Its customization options are also limited.
>
> Having said that, I propose the following change to API:
> Let's have IgniteConfiguration.setSslParameters(SSLParameters parameters)
> Yeah, let's just use this class everywhere:
> https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html
> It already contains a decent number of configurable parameters. I will
> check it, but it should be Spring-initializable by the looks.
>
> This means we have
> IgniteConfiguration.setSslContextFactory(Factory<SSLContext>) and
> IgniteConfiguration.setSslParameters(SSLParameters) with full forward
> compatibility.
>
> NB: We will also set "need client auth" for node-node communication and
> discovery, but it will be configurable for other clients, REST, etc. I
> think it would make sense to have separate SSL parameters for client
> connectors, however I'm not sure so I'll try to minimize impact for now.
>
> WDYT? I'll create an IEP if this looks good to you, fellow igniters.
>
>
> --
> Ilya Kasnacheev
>