SSL for ODBC connection

> On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]> wrote:
>
> Hi, Igniters,
>
> I'm going to start working on the SSL support for the ODBC
> connection and I need to hear your opinion.
>
> For the client side I'm going to use OpenSSL library [1], which is
> standard de-facto for C/C++ applications. Unfortunately its
> licence is not fully compatible with Apache Licence, so its going
> to require from users to install OpenSSL themselves.
>
> For the driver I'm going to add following options to connection
> string:
> ssl_mode - Determines whether or with what priority a SSL
>    connection will be negotiated with the server. Options
>    here are disable, allow, prefer, require.
> ssl_key_file - Path to the location for the secret key used for the
>    client certificate.
> ssl_cert_file - Path to the file of the client SSL certificate.
>
> If the ssl_mode is not set to "disable" then ODBC driver will
> attempt to find and load OpenSSL library before establishing
> connection.
>
> For the server side there is already SslContextFactory in the
> IgniteConfiguration, which is used by all components to determine
> if the SSL enabled and to figure out connection parameters, so
> I think it's a good idea to just re-use it for the ClientListenerProcessorю
>
> What do you guys think?
>
> [1] - https://www.openssl.org
>
> Best Regards,
> Igor

> Hi Igor,
>
> Could you explain the difference between “allow, prefer and require” modes?
>
> BTW, do we really need to have the “disable” one? Guess that having
> ssl_mode set to “disable” will have the same effect as not setting the
> ssl_mode at all.
>
> —
> Denis
>
> > On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]> wrote:
> >
> > Hi, Igniters,
> >
> > I'm going to start working on the SSL support for the ODBC
> > connection and I need to hear your opinion.
> >
> > For the client side I'm going to use OpenSSL library [1], which is
> > standard de-facto for C/C++ applications. Unfortunately its
> > licence is not fully compatible with Apache Licence, so its going
> > to require from users to install OpenSSL themselves.
> >
> > For the driver I'm going to add following options to connection
> > string:
> > ssl_mode - Determines whether or with what priority a SSL
> >    connection will be negotiated with the server. Options
> >    here are disable, allow, prefer, require.
> > ssl_key_file - Path to the location for the secret key used for the
> >    client certificate.
> > ssl_cert_file - Path to the file of the client SSL certificate.
> >
> > If the ssl_mode is not set to "disable" then ODBC driver will
> > attempt to find and load OpenSSL library before establishing
> > connection.
> >
> > For the server side there is already SslContextFactory in the
> > IgniteConfiguration, which is used by all components to determine
> > if the SSL enabled and to figure out connection parameters, so
> > I think it's a good idea to just re-use it for the
> ClientListenerProcessorю
> >
> > What do you guys think?
> >
> > [1] - https://www.openssl.org
> >
> > Best Regards,
> > Igor
>
>

> On Nov 7, 2017, at 1:23 AM, Igor Sapego <[hidden email]> wrote:
>
> Hi Denis,
>
>> Could you explain the difference between “allow, prefer and require”
> modes?
> allow - Client will first try connecting without SSL, and then fallback to
> SSL if it is not allowed to connect without SSL;
> prefer - Client will first try connecting using SSL, and then fallback to
> non-SSL if SSL is not supported by the server;
> disable - Client will only connect using SSL and return error if failed to
> successfully do so.
>
>> BTW, do we really need to have the “disable” one? Guess that having
> ssl_mode set to “disable” will have the same effect as not setting the
> ssl_mode at all.
> This is the matter of the default value of the ssl_mode option. The way you
> propose it means that you still has "disable" option, it is just is not
> explicit.
>
> Best Regards,
> Igor
>
> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <[hidden email]> wrote:
>
>> Hi Igor,
>>
>> Could you explain the difference between “allow, prefer and require” modes?
>>
>> BTW, do we really need to have the “disable” one? Guess that having
>> ssl_mode set to “disable” will have the same effect as not setting the
>> ssl_mode at all.
>>
>> —
>> Denis
>>
>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]> wrote:
>>>
>>> Hi, Igniters,
>>>
>>> I'm going to start working on the SSL support for the ODBC
>>> connection and I need to hear your opinion.
>>>
>>> For the client side I'm going to use OpenSSL library [1], which is
>>> standard de-facto for C/C++ applications. Unfortunately its
>>> licence is not fully compatible with Apache Licence, so its going
>>> to require from users to install OpenSSL themselves.
>>>
>>> For the driver I'm going to add following options to connection
>>> string:
>>> ssl_mode - Determines whether or with what priority a SSL
>>>   connection will be negotiated with the server. Options
>>>   here are disable, allow, prefer, require.
>>> ssl_key_file - Path to the location for the secret key used for the
>>>   client certificate.
>>> ssl_cert_file - Path to the file of the client SSL certificate.
>>>
>>> If the ssl_mode is not set to "disable" then ODBC driver will
>>> attempt to find and load OpenSSL library before establishing
>>> connection.
>>>
>>> For the server side there is already SslContextFactory in the
>>> IgniteConfiguration, which is used by all components to determine
>>> if the SSL enabled and to figure out connection parameters, so
>>> I think it's a good idea to just re-use it for the
>> ClientListenerProcessorю
>>>
>>> What do you guys think?
>>>
>>> [1] - https://www.openssl.org
>>>
>>> Best Regards,
>>> Igor
>>
>>

> Igor,
>
> Thanks for the clarification. Please file a ticket if nobody else shares a
> feedback soon.
>
> —
> Denis
>
> > On Nov 7, 2017, at 1:23 AM, Igor Sapego <[hidden email]> wrote:
> >
> > Hi Denis,
> >
> >> Could you explain the difference between “allow, prefer and require”
> > modes?
> > allow - Client will first try connecting without SSL, and then fallback
> to
> > SSL if it is not allowed to connect without SSL;
> > prefer - Client will first try connecting using SSL, and then fallback to
> > non-SSL if SSL is not supported by the server;
> > disable - Client will only connect using SSL and return error if failed
> to
> > successfully do so.
> >
> >> BTW, do we really need to have the “disable” one? Guess that having
> > ssl_mode set to “disable” will have the same effect as not setting the
> > ssl_mode at all.
> > This is the matter of the default value of the ssl_mode option. The way
> you
> > propose it means that you still has "disable" option, it is just is not
> > explicit.
> >
> > Best Regards,
> > Igor
> >
> > On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <[hidden email]> wrote:
> >
> >> Hi Igor,
> >>
> >> Could you explain the difference between “allow, prefer and require”
> modes?
> >>
> >> BTW, do we really need to have the “disable” one? Guess that having
> >> ssl_mode set to “disable” will have the same effect as not setting the
> >> ssl_mode at all.
> >>
> >> —
> >> Denis
> >>
> >>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]> wrote:
> >>>
> >>> Hi, Igniters,
> >>>
> >>> I'm going to start working on the SSL support for the ODBC
> >>> connection and I need to hear your opinion.
> >>>
> >>> For the client side I'm going to use OpenSSL library [1], which is
> >>> standard de-facto for C/C++ applications. Unfortunately its
> >>> licence is not fully compatible with Apache Licence, so its going
> >>> to require from users to install OpenSSL themselves.
> >>>
> >>> For the driver I'm going to add following options to connection
> >>> string:
> >>> ssl_mode - Determines whether or with what priority a SSL
> >>>   connection will be negotiated with the server. Options
> >>>   here are disable, allow, prefer, require.
> >>> ssl_key_file - Path to the location for the secret key used for the
> >>>   client certificate.
> >>> ssl_cert_file - Path to the file of the client SSL certificate.
> >>>
> >>> If the ssl_mode is not set to "disable" then ODBC driver will
> >>> attempt to find and load OpenSSL library before establishing
> >>> connection.
> >>>
> >>> For the server side there is already SslContextFactory in the
> >>> IgniteConfiguration, which is used by all components to determine
> >>> if the SSL enabled and to figure out connection parameters, so
> >>> I think it's a good idea to just re-use it for the
> >> ClientListenerProcessorю
> >>>
> >>> What do you guys think?
> >>>
> >>> [1] - https://www.openssl.org
> >>>
> >>> Best Regards,
> >>> Igor
> >>
> >>
>
>

> I think it would be enough to have a single switch for now.
>
> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <[hidden email]> wrote:
>
> > Igor,
> >
> > Thanks for the clarification. Please file a ticket if nobody else shares
> a
> > feedback soon.
> >
> > —
> > Denis
> >
> > > On Nov 7, 2017, at 1:23 AM, Igor Sapego <[hidden email]> wrote:
> > >
> > > Hi Denis,
> > >
> > >> Could you explain the difference between “allow, prefer and require”
> > > modes?
> > > allow - Client will first try connecting without SSL, and then fallback
> > to
> > > SSL if it is not allowed to connect without SSL;
> > > prefer - Client will first try connecting using SSL, and then fallback
> to
> > > non-SSL if SSL is not supported by the server;
> > > disable - Client will only connect using SSL and return error if failed
> > to
> > > successfully do so.
> > >
> > >> BTW, do we really need to have the “disable” one? Guess that having
> > > ssl_mode set to “disable” will have the same effect as not setting the
> > > ssl_mode at all.
> > > This is the matter of the default value of the ssl_mode option. The way
> > you
> > > propose it means that you still has "disable" option, it is just is not
> > > explicit.
> > >
> > > Best Regards,
> > > Igor
> > >
> > > On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <[hidden email]>
> wrote:
> > >
> > >> Hi Igor,
> > >>
> > >> Could you explain the difference between “allow, prefer and require”
> > modes?
> > >>
> > >> BTW, do we really need to have the “disable” one? Guess that having
> > >> ssl_mode set to “disable” will have the same effect as not setting the
> > >> ssl_mode at all.
> > >>
> > >> —
> > >> Denis
> > >>
> > >>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]> wrote:
> > >>>
> > >>> Hi, Igniters,
> > >>>
> > >>> I'm going to start working on the SSL support for the ODBC
> > >>> connection and I need to hear your opinion.
> > >>>
> > >>> For the client side I'm going to use OpenSSL library [1], which is
> > >>> standard de-facto for C/C++ applications. Unfortunately its
> > >>> licence is not fully compatible with Apache Licence, so its going
> > >>> to require from users to install OpenSSL themselves.
> > >>>
> > >>> For the driver I'm going to add following options to connection
> > >>> string:
> > >>> ssl_mode - Determines whether or with what priority a SSL
> > >>>   connection will be negotiated with the server. Options
> > >>>   here are disable, allow, prefer, require.
> > >>> ssl_key_file - Path to the location for the secret key used for the
> > >>>   client certificate.
> > >>> ssl_cert_file - Path to the file of the client SSL certificate.
> > >>>
> > >>> If the ssl_mode is not set to "disable" then ODBC driver will
> > >>> attempt to find and load OpenSSL library before establishing
> > >>> connection.
> > >>>
> > >>> For the server side there is already SslContextFactory in the
> > >>> IgniteConfiguration, which is used by all components to determine
> > >>> if the SSL enabled and to figure out connection parameters, so
> > >>> I think it's a good idea to just re-use it for the
> > >> ClientListenerProcessorю
> > >>>
> > >>> What do you guys think?
> > >>>
> > >>> [1] - https://www.openssl.org
> > >>>
> > >>> Best Regards,
> > >>> Igor
> > >>
> > >>
> >
> >
>

> On Nov 20, 2017, at 12:42 AM, Igor Sapego <[hidden email]> wrote:
>
> Ok, then how about the following set of options:
>
> ssl_enabled=[true|false]
> ssl_key_file=<path_to_secret_key>
> ssl_cert_file=<path_to_certificate>
>
>
> Best Regards,
> Igor
>
> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <[hidden email]>
> wrote:
>
>> I think it would be enough to have a single switch for now.
>>
>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <[hidden email]> wrote:
>>
>>> Igor,
>>>
>>> Thanks for the clarification. Please file a ticket if nobody else shares
>> a
>>> feedback soon.
>>>
>>> —
>>> Denis
>>>
>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <[hidden email]> wrote:
>>>>
>>>> Hi Denis,
>>>>
>>>>> Could you explain the difference between “allow, prefer and require”
>>>> modes?
>>>> allow - Client will first try connecting without SSL, and then fallback
>>> to
>>>> SSL if it is not allowed to connect without SSL;
>>>> prefer - Client will first try connecting using SSL, and then fallback
>> to
>>>> non-SSL if SSL is not supported by the server;
>>>> disable - Client will only connect using SSL and return error if failed
>>> to
>>>> successfully do so.
>>>>
>>>>> BTW, do we really need to have the “disable” one? Guess that having
>>>> ssl_mode set to “disable” will have the same effect as not setting the
>>>> ssl_mode at all.
>>>> This is the matter of the default value of the ssl_mode option. The way
>>> you
>>>> propose it means that you still has "disable" option, it is just is not
>>>> explicit.
>>>>
>>>> Best Regards,
>>>> Igor
>>>>
>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <[hidden email]>
>> wrote:
>>>>
>>>>> Hi Igor,
>>>>>
>>>>> Could you explain the difference between “allow, prefer and require”
>>> modes?
>>>>>
>>>>> BTW, do we really need to have the “disable” one? Guess that having
>>>>> ssl_mode set to “disable” will have the same effect as not setting the
>>>>> ssl_mode at all.
>>>>>
>>>>> —
>>>>> Denis
>>>>>
>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]> wrote:
>>>>>>
>>>>>> Hi, Igniters,
>>>>>>
>>>>>> I'm going to start working on the SSL support for the ODBC
>>>>>> connection and I need to hear your opinion.
>>>>>>
>>>>>> For the client side I'm going to use OpenSSL library [1], which is
>>>>>> standard de-facto for C/C++ applications. Unfortunately its
>>>>>> licence is not fully compatible with Apache Licence, so its going
>>>>>> to require from users to install OpenSSL themselves.
>>>>>>
>>>>>> For the driver I'm going to add following options to connection
>>>>>> string:
>>>>>> ssl_mode - Determines whether or with what priority a SSL
>>>>>>  connection will be negotiated with the server. Options
>>>>>>  here are disable, allow, prefer, require.
>>>>>> ssl_key_file - Path to the location for the secret key used for the
>>>>>>  client certificate.
>>>>>> ssl_cert_file - Path to the file of the client SSL certificate.
>>>>>>
>>>>>> If the ssl_mode is not set to "disable" then ODBC driver will
>>>>>> attempt to find and load OpenSSL library before establishing
>>>>>> connection.
>>>>>>
>>>>>> For the server side there is already SslContextFactory in the
>>>>>> IgniteConfiguration, which is used by all components to determine
>>>>>> if the SSL enabled and to figure out connection parameters, so
>>>>>> I think it's a good idea to just re-use it for the
>>>>> ClientListenerProcessorю
>>>>>>
>>>>>> What do you guys think?
>>>>>>
>>>>>> [1] - https://www.openssl.org
>>>>>>
>>>>>> Best Regards,
>>>>>> Igor
>>>>>
>>>>>
>>>
>>>
>>

> This configuration approach looks clearer to me. +1 for it.
>
> —
> Denis
>
> > On Nov 20, 2017, at 12:42 AM, Igor Sapego <[hidden email]> wrote:
> >
> > Ok, then how about the following set of options:
> >
> > ssl_enabled=[true|false]
> > ssl_key_file=<path_to_secret_key>
> > ssl_cert_file=<path_to_certificate>
> >
> >
> > Best Regards,
> > Igor
> >
> > On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <[hidden email]>
> > wrote:
> >
> >> I think it would be enough to have a single switch for now.
> >>
> >> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <[hidden email]> wrote:
> >>
> >>> Igor,
> >>>
> >>> Thanks for the clarification. Please file a ticket if nobody else
> shares
> >> a
> >>> feedback soon.
> >>>
> >>> —
> >>> Denis
> >>>
> >>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <[hidden email]> wrote:
> >>>>
> >>>> Hi Denis,
> >>>>
> >>>>> Could you explain the difference between “allow, prefer and require”
> >>>> modes?
> >>>> allow - Client will first try connecting without SSL, and then
> fallback
> >>> to
> >>>> SSL if it is not allowed to connect without SSL;
> >>>> prefer - Client will first try connecting using SSL, and then fallback
> >> to
> >>>> non-SSL if SSL is not supported by the server;
> >>>> disable - Client will only connect using SSL and return error if
> failed
> >>> to
> >>>> successfully do so.
> >>>>
> >>>>> BTW, do we really need to have the “disable” one? Guess that having
> >>>> ssl_mode set to “disable” will have the same effect as not setting the
> >>>> ssl_mode at all.
> >>>> This is the matter of the default value of the ssl_mode option. The
> way
> >>> you
> >>>> propose it means that you still has "disable" option, it is just is
> not
> >>>> explicit.
> >>>>
> >>>> Best Regards,
> >>>> Igor
> >>>>
> >>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <[hidden email]>
> >> wrote:
> >>>>
> >>>>> Hi Igor,
> >>>>>
> >>>>> Could you explain the difference between “allow, prefer and require”
> >>> modes?
> >>>>>
> >>>>> BTW, do we really need to have the “disable” one? Guess that having
> >>>>> ssl_mode set to “disable” will have the same effect as not setting
> the
> >>>>> ssl_mode at all.
> >>>>>
> >>>>> —
> >>>>> Denis
> >>>>>
> >>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]> wrote:
> >>>>>>
> >>>>>> Hi, Igniters,
> >>>>>>
> >>>>>> I'm going to start working on the SSL support for the ODBC
> >>>>>> connection and I need to hear your opinion.
> >>>>>>
> >>>>>> For the client side I'm going to use OpenSSL library [1], which is
> >>>>>> standard de-facto for C/C++ applications. Unfortunately its
> >>>>>> licence is not fully compatible with Apache Licence, so its going
> >>>>>> to require from users to install OpenSSL themselves.
> >>>>>>
> >>>>>> For the driver I'm going to add following options to connection
> >>>>>> string:
> >>>>>> ssl_mode - Determines whether or with what priority a SSL
> >>>>>>  connection will be negotiated with the server. Options
> >>>>>>  here are disable, allow, prefer, require.
> >>>>>> ssl_key_file - Path to the location for the secret key used for the
> >>>>>>  client certificate.
> >>>>>> ssl_cert_file - Path to the file of the client SSL certificate.
> >>>>>>
> >>>>>> If the ssl_mode is not set to "disable" then ODBC driver will
> >>>>>> attempt to find and load OpenSSL library before establishing
> >>>>>> connection.
> >>>>>>
> >>>>>> For the server side there is already SslContextFactory in the
> >>>>>> IgniteConfiguration, which is used by all components to determine
> >>>>>> if the SSL enabled and to figure out connection parameters, so
> >>>>>> I think it's a good idea to just re-use it for the
> >>>>> ClientListenerProcessorю
> >>>>>>
> >>>>>> What do you guys think?
> >>>>>>
> >>>>>> [1] - https://www.openssl.org
> >>>>>>
> >>>>>> Best Regards,
> >>>>>> Igor
> >>>>>
> >>>>>
> >>>
> >>>
> >>
>
>

> On Jan 26, 2018, at 6:08 AM, Igor Sapego <[hidden email]> wrote:
>
> Guys,
>
> The SSL for the ODBC is pretty much ready and working, so
> here is update on the current state I want to share with you.
> And of course, I'd like to to hear your opinion on this one.
>
> First of all, I've checked some discussions about the ssl_mode
> approaches in different ODBC drivers and it seems to me that
> there is a big chance that simple ssl_enabled=[true|false]
> approach is not going to be enough for our users.
>
> So I propose a compromise for now. The compromise is to use
> ssl_mode=[require|disable] parameter right now, which is pretty
> much as easy to understand as ssl_enabled=[true|false], but
> leaves us a possibility to add other modes in future if we need
> them.
>
> So the full set of SSL parameters now is the following:
> ssl_mode=[require|disable]
> ssl_key_file=<path_to_private_key>
> ssl_cert_file=<path_to_client_certificate>
> ssl_ca_file=<path_to_trusted_certificates>
>
> Thoughts?
>
> Best Regards,
> Igor
>
> On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <[hidden email]> wrote:
>
>> This configuration approach looks clearer to me. +1 for it.
>>
>> —
>> Denis
>>
>>> On Nov 20, 2017, at 12:42 AM, Igor Sapego <[hidden email]> wrote:
>>>
>>> Ok, then how about the following set of options:
>>>
>>> ssl_enabled=[true|false]
>>> ssl_key_file=<path_to_secret_key>
>>> ssl_cert_file=<path_to_certificate>
>>>
>>>
>>> Best Regards,
>>> Igor
>>>
>>> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <[hidden email]>
>>> wrote:
>>>
>>>> I think it would be enough to have a single switch for now.
>>>>
>>>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <[hidden email]> wrote:
>>>>
>>>>> Igor,
>>>>>
>>>>> Thanks for the clarification. Please file a ticket if nobody else
>> shares
>>>> a
>>>>> feedback soon.
>>>>>
>>>>> —
>>>>> Denis
>>>>>
>>>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <[hidden email]> wrote:
>>>>>>
>>>>>> Hi Denis,
>>>>>>
>>>>>>> Could you explain the difference between “allow, prefer and require”
>>>>>> modes?
>>>>>> allow - Client will first try connecting without SSL, and then
>> fallback
>>>>> to
>>>>>> SSL if it is not allowed to connect without SSL;
>>>>>> prefer - Client will first try connecting using SSL, and then fallback
>>>> to
>>>>>> non-SSL if SSL is not supported by the server;
>>>>>> disable - Client will only connect using SSL and return error if
>> failed
>>>>> to
>>>>>> successfully do so.
>>>>>>
>>>>>>> BTW, do we really need to have the “disable” one? Guess that having
>>>>>> ssl_mode set to “disable” will have the same effect as not setting the
>>>>>> ssl_mode at all.
>>>>>> This is the matter of the default value of the ssl_mode option. The
>> way
>>>>> you
>>>>>> propose it means that you still has "disable" option, it is just is
>> not
>>>>>> explicit.
>>>>>>
>>>>>> Best Regards,
>>>>>> Igor
>>>>>>
>>>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <[hidden email]>
>>>> wrote:
>>>>>>
>>>>>>> Hi Igor,
>>>>>>>
>>>>>>> Could you explain the difference between “allow, prefer and require”
>>>>> modes?
>>>>>>>
>>>>>>> BTW, do we really need to have the “disable” one? Guess that having
>>>>>>> ssl_mode set to “disable” will have the same effect as not setting
>> the
>>>>>>> ssl_mode at all.
>>>>>>>
>>>>>>> —
>>>>>>> Denis
>>>>>>>
>>>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]> wrote:
>>>>>>>>
>>>>>>>> Hi, Igniters,
>>>>>>>>
>>>>>>>> I'm going to start working on the SSL support for the ODBC
>>>>>>>> connection and I need to hear your opinion.
>>>>>>>>
>>>>>>>> For the client side I'm going to use OpenSSL library [1], which is
>>>>>>>> standard de-facto for C/C++ applications. Unfortunately its
>>>>>>>> licence is not fully compatible with Apache Licence, so its going
>>>>>>>> to require from users to install OpenSSL themselves.
>>>>>>>>
>>>>>>>> For the driver I'm going to add following options to connection
>>>>>>>> string:
>>>>>>>> ssl_mode - Determines whether or with what priority a SSL
>>>>>>>> connection will be negotiated with the server. Options
>>>>>>>> here are disable, allow, prefer, require.
>>>>>>>> ssl_key_file - Path to the location for the secret key used for the
>>>>>>>> client certificate.
>>>>>>>> ssl_cert_file - Path to the file of the client SSL certificate.
>>>>>>>>
>>>>>>>> If the ssl_mode is not set to "disable" then ODBC driver will
>>>>>>>> attempt to find and load OpenSSL library before establishing
>>>>>>>> connection.
>>>>>>>>
>>>>>>>> For the server side there is already SslContextFactory in the
>>>>>>>> IgniteConfiguration, which is used by all components to determine
>>>>>>>> if the SSL enabled and to figure out connection parameters, so
>>>>>>>> I think it's a good idea to just re-use it for the
>>>>>>> ClientListenerProcessorю
>>>>>>>>
>>>>>>>> What do you guys think?
>>>>>>>>
>>>>>>>> [1] - https://www.openssl.org
>>>>>>>>
>>>>>>>> Best Regards,
>>>>>>>> Igor
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>
>>
>>

> Igor,
>
> Why it might be not enough to have ssl_enabled=[true | false]? Could you
> give an example since you’ve already did a research?
>
> —
> Denis
>
> > On Jan 26, 2018, at 6:08 AM, Igor Sapego <[hidden email]> wrote:
> >
> > Guys,
> >
> > The SSL for the ODBC is pretty much ready and working, so
> > here is update on the current state I want to share with you.
> > And of course, I'd like to to hear your opinion on this one.
> >
> > First of all, I've checked some discussions about the ssl_mode
> > approaches in different ODBC drivers and it seems to me that
> > there is a big chance that simple ssl_enabled=[true|false]
> > approach is not going to be enough for our users.
> >
> > So I propose a compromise for now. The compromise is to use
> > ssl_mode=[require|disable] parameter right now, which is pretty
> > much as easy to understand as ssl_enabled=[true|false], but
> > leaves us a possibility to add other modes in future if we need
> > them.
> >
> > So the full set of SSL parameters now is the following:
> > ssl_mode=[require|disable]
> > ssl_key_file=<path_to_private_key>
> > ssl_cert_file=<path_to_client_certificate>
> > ssl_ca_file=<path_to_trusted_certificates>
> >
> > Thoughts?
> >
> > Best Regards,
> > Igor
> >
> > On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <[hidden email]> wrote:
> >
> >> This configuration approach looks clearer to me. +1 for it.
> >>
> >> —
> >> Denis
> >>
> >>> On Nov 20, 2017, at 12:42 AM, Igor Sapego <[hidden email]> wrote:
> >>>
> >>> Ok, then how about the following set of options:
> >>>
> >>> ssl_enabled=[true|false]
> >>> ssl_key_file=<path_to_secret_key>
> >>> ssl_cert_file=<path_to_certificate>
> >>>
> >>>
> >>> Best Regards,
> >>> Igor
> >>>
> >>> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <[hidden email]
> >
> >>> wrote:
> >>>
> >>>> I think it would be enough to have a single switch for now.
> >>>>
> >>>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <[hidden email]>
> wrote:
> >>>>
> >>>>> Igor,
> >>>>>
> >>>>> Thanks for the clarification. Please file a ticket if nobody else
> >> shares
> >>>> a
> >>>>> feedback soon.
> >>>>>
> >>>>> —
> >>>>> Denis
> >>>>>
> >>>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <[hidden email]> wrote:
> >>>>>>
> >>>>>> Hi Denis,
> >>>>>>
> >>>>>>> Could you explain the difference between “allow, prefer and
> require”
> >>>>>> modes?
> >>>>>> allow - Client will first try connecting without SSL, and then
> >> fallback
> >>>>> to
> >>>>>> SSL if it is not allowed to connect without SSL;
> >>>>>> prefer - Client will first try connecting using SSL, and then
> fallback
> >>>> to
> >>>>>> non-SSL if SSL is not supported by the server;
> >>>>>> disable - Client will only connect using SSL and return error if
> >> failed
> >>>>> to
> >>>>>> successfully do so.
> >>>>>>
> >>>>>>> BTW, do we really need to have the “disable” one? Guess that having
> >>>>>> ssl_mode set to “disable” will have the same effect as not setting
> the
> >>>>>> ssl_mode at all.
> >>>>>> This is the matter of the default value of the ssl_mode option. The
> >> way
> >>>>> you
> >>>>>> propose it means that you still has "disable" option, it is just is
> >> not
> >>>>>> explicit.
> >>>>>>
> >>>>>> Best Regards,
> >>>>>> Igor
> >>>>>>
> >>>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <[hidden email]>
> >>>> wrote:
> >>>>>>
> >>>>>>> Hi Igor,
> >>>>>>>
> >>>>>>> Could you explain the difference between “allow, prefer and
> require”
> >>>>> modes?
> >>>>>>>
> >>>>>>> BTW, do we really need to have the “disable” one? Guess that having
> >>>>>>> ssl_mode set to “disable” will have the same effect as not setting
> >> the
> >>>>>>> ssl_mode at all.
> >>>>>>>
> >>>>>>> —
> >>>>>>> Denis
> >>>>>>>
> >>>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]>
> wrote:
> >>>>>>>>
> >>>>>>>> Hi, Igniters,
> >>>>>>>>
> >>>>>>>> I'm going to start working on the SSL support for the ODBC
> >>>>>>>> connection and I need to hear your opinion.
> >>>>>>>>
> >>>>>>>> For the client side I'm going to use OpenSSL library [1], which is
> >>>>>>>> standard de-facto for C/C++ applications. Unfortunately its
> >>>>>>>> licence is not fully compatible with Apache Licence, so its going
> >>>>>>>> to require from users to install OpenSSL themselves.
> >>>>>>>>
> >>>>>>>> For the driver I'm going to add following options to connection
> >>>>>>>> string:
> >>>>>>>> ssl_mode - Determines whether or with what priority a SSL
> >>>>>>>> connection will be negotiated with the server. Options
> >>>>>>>> here are disable, allow, prefer, require.
> >>>>>>>> ssl_key_file - Path to the location for the secret key used for
> the
> >>>>>>>> client certificate.
> >>>>>>>> ssl_cert_file - Path to the file of the client SSL certificate.
> >>>>>>>>
> >>>>>>>> If the ssl_mode is not set to "disable" then ODBC driver will
> >>>>>>>> attempt to find and load OpenSSL library before establishing
> >>>>>>>> connection.
> >>>>>>>>
> >>>>>>>> For the server side there is already SslContextFactory in the
> >>>>>>>> IgniteConfiguration, which is used by all components to determine
> >>>>>>>> if the SSL enabled and to figure out connection parameters, so
> >>>>>>>> I think it's a good idea to just re-use it for the
> >>>>>>> ClientListenerProcessorю
> >>>>>>>>
> >>>>>>>> What do you guys think?
> >>>>>>>>
> >>>>>>>> [1] - https://www.openssl.org
> >>>>>>>>
> >>>>>>>> Best Regards,
> >>>>>>>> Igor
> >>>>>>>
> >>>>>>>
> >>>>>
> >>>>>
> >>>>
> >>
> >>
>
>

> Denis,
>
> For example, there are often such options as "verify-ca" and "verify-full".
> [1-3]
> Moreover, this approach seems more consistent with other solutions and thus
> more familiar to user.
>
> [1] - https://www.postgresql.org/docs/9.1/static/libpq-ssl.html
> [2] -
> https://docs.oracle.com/cd/E17952_01/connector-odbc-en/
> connector-odbc-configuration-connection-parameters.html
> [3] -
> https://dev.mysql.com/doc/connector-odbc/en/connector-
> odbc-configuration-connection-parameters.html
>
> Best Regards,
> Igor
>
> On Sat, Jan 27, 2018 at 2:22 AM, Denis Magda <[hidden email]> wrote:
>
> > Igor,
> >
> > Why it might be not enough to have ssl_enabled=[true | false]? Could you
> > give an example since you’ve already did a research?
> >
> > —
> > Denis
> >
> > > On Jan 26, 2018, at 6:08 AM, Igor Sapego <[hidden email]> wrote:
> > >
> > > Guys,
> > >
> > > The SSL for the ODBC is pretty much ready and working, so
> > > here is update on the current state I want to share with you.
> > > And of course, I'd like to to hear your opinion on this one.
> > >
> > > First of all, I've checked some discussions about the ssl_mode
> > > approaches in different ODBC drivers and it seems to me that
> > > there is a big chance that simple ssl_enabled=[true|false]
> > > approach is not going to be enough for our users.
> > >
> > > So I propose a compromise for now. The compromise is to use
> > > ssl_mode=[require|disable] parameter right now, which is pretty
> > > much as easy to understand as ssl_enabled=[true|false], but
> > > leaves us a possibility to add other modes in future if we need
> > > them.
> > >
> > > So the full set of SSL parameters now is the following:
> > > ssl_mode=[require|disable]
> > > ssl_key_file=<path_to_private_key>
> > > ssl_cert_file=<path_to_client_certificate>
> > > ssl_ca_file=<path_to_trusted_certificates>
> > >
> > > Thoughts?
> > >
> > > Best Regards,
> > > Igor
> > >
> > > On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <[hidden email]>
> wrote:
> > >
> > >> This configuration approach looks clearer to me. +1 for it.
> > >>
> > >> —
> > >> Denis
> > >>
> > >>> On Nov 20, 2017, at 12:42 AM, Igor Sapego <[hidden email]>
> wrote:
> > >>>
> > >>> Ok, then how about the following set of options:
> > >>>
> > >>> ssl_enabled=[true|false]
> > >>> ssl_key_file=<path_to_secret_key>
> > >>> ssl_cert_file=<path_to_certificate>
> > >>>
> > >>>
> > >>> Best Regards,
> > >>> Igor
> > >>>
> > >>> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <
> [hidden email]
> > >
> > >>> wrote:
> > >>>
> > >>>> I think it would be enough to have a single switch for now.
> > >>>>
> > >>>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <[hidden email]>
> > wrote:
> > >>>>
> > >>>>> Igor,
> > >>>>>
> > >>>>> Thanks for the clarification. Please file a ticket if nobody else
> > >> shares
> > >>>> a
> > >>>>> feedback soon.
> > >>>>>
> > >>>>> —
> > >>>>> Denis
> > >>>>>
> > >>>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <[hidden email]>
> wrote:
> > >>>>>>
> > >>>>>> Hi Denis,
> > >>>>>>
> > >>>>>>> Could you explain the difference between “allow, prefer and
> > require”
> > >>>>>> modes?
> > >>>>>> allow - Client will first try connecting without SSL, and then
> > >> fallback
> > >>>>> to
> > >>>>>> SSL if it is not allowed to connect without SSL;
> > >>>>>> prefer - Client will first try connecting using SSL, and then
> > fallback
> > >>>> to
> > >>>>>> non-SSL if SSL is not supported by the server;
> > >>>>>> disable - Client will only connect using SSL and return error if
> > >> failed
> > >>>>> to
> > >>>>>> successfully do so.
> > >>>>>>
> > >>>>>>> BTW, do we really need to have the “disable” one? Guess that
> having
> > >>>>>> ssl_mode set to “disable” will have the same effect as not setting
> > the
> > >>>>>> ssl_mode at all.
> > >>>>>> This is the matter of the default value of the ssl_mode option.
> The
> > >> way
> > >>>>> you
> > >>>>>> propose it means that you still has "disable" option, it is just
> is
> > >> not
> > >>>>>> explicit.
> > >>>>>>
> > >>>>>> Best Regards,
> > >>>>>> Igor
> > >>>>>>
> > >>>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <[hidden email]>
> > >>>> wrote:
> > >>>>>>
> > >>>>>>> Hi Igor,
> > >>>>>>>
> > >>>>>>> Could you explain the difference between “allow, prefer and
> > require”
> > >>>>> modes?
> > >>>>>>>
> > >>>>>>> BTW, do we really need to have the “disable” one? Guess that
> having
> > >>>>>>> ssl_mode set to “disable” will have the same effect as not
> setting
> > >> the
> > >>>>>>> ssl_mode at all.
> > >>>>>>>
> > >>>>>>> —
> > >>>>>>> Denis
> > >>>>>>>
> > >>>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]>
> > wrote:
> > >>>>>>>>
> > >>>>>>>> Hi, Igniters,
> > >>>>>>>>
> > >>>>>>>> I'm going to start working on the SSL support for the ODBC
> > >>>>>>>> connection and I need to hear your opinion.
> > >>>>>>>>
> > >>>>>>>> For the client side I'm going to use OpenSSL library [1], which
> is
> > >>>>>>>> standard de-facto for C/C++ applications. Unfortunately its
> > >>>>>>>> licence is not fully compatible with Apache Licence, so its
> going
> > >>>>>>>> to require from users to install OpenSSL themselves.
> > >>>>>>>>
> > >>>>>>>> For the driver I'm going to add following options to connection
> > >>>>>>>> string:
> > >>>>>>>> ssl_mode - Determines whether or with what priority a SSL
> > >>>>>>>> connection will be negotiated with the server. Options
> > >>>>>>>> here are disable, allow, prefer, require.
> > >>>>>>>> ssl_key_file - Path to the location for the secret key used for
> > the
> > >>>>>>>> client certificate.
> > >>>>>>>> ssl_cert_file - Path to the file of the client SSL certificate.
> > >>>>>>>>
> > >>>>>>>> If the ssl_mode is not set to "disable" then ODBC driver will
> > >>>>>>>> attempt to find and load OpenSSL library before establishing
> > >>>>>>>> connection.
> > >>>>>>>>
> > >>>>>>>> For the server side there is already SslContextFactory in the
> > >>>>>>>> IgniteConfiguration, which is used by all components to
> determine
> > >>>>>>>> if the SSL enabled and to figure out connection parameters, so
> > >>>>>>>> I think it's a good idea to just re-use it for the
> > >>>>>>> ClientListenerProcessorю
> > >>>>>>>>
> > >>>>>>>> What do you guys think?
> > >>>>>>>>
> > >>>>>>>> [1] - https://www.openssl.org
> > >>>>>>>>
> > >>>>>>>> Best Regards,
> > >>>>>>>> Igor
> > >>>>>>>
> > >>>>>>>
> > >>>>>
> > >>>>>
> > >>>>
> > >>
> > >>
> >
> >
>

> On Jan 29, 2018, at 3:50 AM, Igor Sapego <[hidden email]> wrote:
>
> Denis,
>
> For example, there are often such options as "verify-ca" and "verify-full".
> [1-3]
> Moreover, this approach seems more consistent with other solutions and thus
> more familiar to user.
>
> [1] - https://www.postgresql.org/docs/9.1/static/libpq-ssl.html
> [2] -
> https://docs.oracle.com/cd/E17952_01/connector-odbc-en/connector-odbc-configuration-connection-parameters.html
> [3] -
> https://dev.mysql.com/doc/connector-odbc/en/connector-odbc-configuration-connection-parameters.html
>
> Best Regards,
> Igor
>
> On Sat, Jan 27, 2018 at 2:22 AM, Denis Magda <[hidden email]> wrote:
>
>> Igor,
>>
>> Why it might be not enough to have ssl_enabled=[true | false]? Could you
>> give an example since you’ve already did a research?
>>
>> —
>> Denis
>>
>>> On Jan 26, 2018, at 6:08 AM, Igor Sapego <[hidden email]> wrote:
>>>
>>> Guys,
>>>
>>> The SSL for the ODBC is pretty much ready and working, so
>>> here is update on the current state I want to share with you.
>>> And of course, I'd like to to hear your opinion on this one.
>>>
>>> First of all, I've checked some discussions about the ssl_mode
>>> approaches in different ODBC drivers and it seems to me that
>>> there is a big chance that simple ssl_enabled=[true|false]
>>> approach is not going to be enough for our users.
>>>
>>> So I propose a compromise for now. The compromise is to use
>>> ssl_mode=[require|disable] parameter right now, which is pretty
>>> much as easy to understand as ssl_enabled=[true|false], but
>>> leaves us a possibility to add other modes in future if we need
>>> them.
>>>
>>> So the full set of SSL parameters now is the following:
>>> ssl_mode=[require|disable]
>>> ssl_key_file=<path_to_private_key>
>>> ssl_cert_file=<path_to_client_certificate>
>>> ssl_ca_file=<path_to_trusted_certificates>
>>>
>>> Thoughts?
>>>
>>> Best Regards,
>>> Igor
>>>
>>> On Tue, Nov 21, 2017 at 2:01 AM, Denis Magda <[hidden email]> wrote:
>>>
>>>> This configuration approach looks clearer to me. +1 for it.
>>>>
>>>> —
>>>> Denis
>>>>
>>>>> On Nov 20, 2017, at 12:42 AM, Igor Sapego <[hidden email]> wrote:
>>>>>
>>>>> Ok, then how about the following set of options:
>>>>>
>>>>> ssl_enabled=[true|false]
>>>>> ssl_key_file=<path_to_secret_key>
>>>>> ssl_cert_file=<path_to_certificate>
>>>>>
>>>>>
>>>>> Best Regards,
>>>>> Igor
>>>>>
>>>>> On Tue, Nov 14, 2017 at 5:21 PM, Vladimir Ozerov <[hidden email]
>>>
>>>>> wrote:
>>>>>
>>>>>> I think it would be enough to have a single switch for now.
>>>>>>
>>>>>> On Tue, Nov 7, 2017 at 10:04 PM, Denis Magda <[hidden email]>
>> wrote:
>>>>>>
>>>>>>> Igor,
>>>>>>>
>>>>>>> Thanks for the clarification. Please file a ticket if nobody else
>>>> shares
>>>>>> a
>>>>>>> feedback soon.
>>>>>>>
>>>>>>> —
>>>>>>> Denis
>>>>>>>
>>>>>>>> On Nov 7, 2017, at 1:23 AM, Igor Sapego <[hidden email]> wrote:
>>>>>>>>
>>>>>>>> Hi Denis,
>>>>>>>>
>>>>>>>>> Could you explain the difference between “allow, prefer and
>> require”
>>>>>>>> modes?
>>>>>>>> allow - Client will first try connecting without SSL, and then
>>>> fallback
>>>>>>> to
>>>>>>>> SSL if it is not allowed to connect without SSL;
>>>>>>>> prefer - Client will first try connecting using SSL, and then
>> fallback
>>>>>> to
>>>>>>>> non-SSL if SSL is not supported by the server;
>>>>>>>> disable - Client will only connect using SSL and return error if
>>>> failed
>>>>>>> to
>>>>>>>> successfully do so.
>>>>>>>>
>>>>>>>>> BTW, do we really need to have the “disable” one? Guess that having
>>>>>>>> ssl_mode set to “disable” will have the same effect as not setting
>> the
>>>>>>>> ssl_mode at all.
>>>>>>>> This is the matter of the default value of the ssl_mode option. The
>>>> way
>>>>>>> you
>>>>>>>> propose it means that you still has "disable" option, it is just is
>>>> not
>>>>>>>> explicit.
>>>>>>>>
>>>>>>>> Best Regards,
>>>>>>>> Igor
>>>>>>>>
>>>>>>>> On Fri, Nov 3, 2017 at 10:35 PM, Denis Magda <[hidden email]>
>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Igor,
>>>>>>>>>
>>>>>>>>> Could you explain the difference between “allow, prefer and
>> require”
>>>>>>> modes?
>>>>>>>>>
>>>>>>>>> BTW, do we really need to have the “disable” one? Guess that having
>>>>>>>>> ssl_mode set to “disable” will have the same effect as not setting
>>>> the
>>>>>>>>> ssl_mode at all.
>>>>>>>>>
>>>>>>>>> —
>>>>>>>>> Denis
>>>>>>>>>
>>>>>>>>>> On Nov 3, 2017, at 9:04 AM, Igor Sapego <[hidden email]>
>> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi, Igniters,
>>>>>>>>>>
>>>>>>>>>> I'm going to start working on the SSL support for the ODBC
>>>>>>>>>> connection and I need to hear your opinion.
>>>>>>>>>>
>>>>>>>>>> For the client side I'm going to use OpenSSL library [1], which is
>>>>>>>>>> standard de-facto for C/C++ applications. Unfortunately its
>>>>>>>>>> licence is not fully compatible with Apache Licence, so its going
>>>>>>>>>> to require from users to install OpenSSL themselves.
>>>>>>>>>>
>>>>>>>>>> For the driver I'm going to add following options to connection
>>>>>>>>>> string:
>>>>>>>>>> ssl_mode - Determines whether or with what priority a SSL
>>>>>>>>>> connection will be negotiated with the server. Options
>>>>>>>>>> here are disable, allow, prefer, require.
>>>>>>>>>> ssl_key_file - Path to the location for the secret key used for
>> the
>>>>>>>>>> client certificate.
>>>>>>>>>> ssl_cert_file - Path to the file of the client SSL certificate.
>>>>>>>>>>
>>>>>>>>>> If the ssl_mode is not set to "disable" then ODBC driver will
>>>>>>>>>> attempt to find and load OpenSSL library before establishing
>>>>>>>>>> connection.
>>>>>>>>>>
>>>>>>>>>> For the server side there is already SslContextFactory in the
>>>>>>>>>> IgniteConfiguration, which is used by all components to determine
>>>>>>>>>> if the SSL enabled and to figure out connection parameters, so
>>>>>>>>>> I think it's a good idea to just re-use it for the
>>>>>>>>> ClientListenerProcessorю
>>>>>>>>>>
>>>>>>>>>> What do you guys think?
>>>>>>>>>>
>>>>>>>>>> [1] - https://www.openssl.org
>>>>>>>>>>
>>>>>>>>>> Best Regards,
>>>>>>>>>> Igor
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>>
>>
>>