You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by Dmitriy Setrakyan <ds...@apache.org> on 2015/09/30 03:51:26 UTC
what is "communication encryption"?
I got the following printout on 1.4 startup:
---------
Security status [authentication=off, communication encryption=off]
---------
Do we mean SSL by "communication encryption"? If yes, shouldn't we just say
"ssl=off"?
D.
Re: what is "communication encryption"?
Posted by Nikolay Tikhonov <nt...@gridgain.com>.
Communication encryption is implemented using Security API hence Ignite
supports the following security algorithms:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext
On Wed, Sep 30, 2015 at 3:23 PM, Dmitriy Setrakyan <ds...@apache.org>
wrote:
> On Wed, Sep 30, 2015 at 12:18 PM, Branko Čibej <br...@apache.org> wrote:
>
> > On 30.09.2015 11:18, Nikolay Tikhonov wrote:
> > > SslContextFactory allows to set different encryption protocols (by
> > default
> > > TLS). I think that just "ssl" confuses users. Might be "ssl\tls=off"
> more
> > > acceptable?
> >
> > SSL is one (rather old) specification of Transport Layer Security (TLS).
> > These days, you shouldn't be using any version of the SSL protocol; they
> > all have unfixable security holes.
> >
> > To be moderately safe, you should implement TLS v1.2 with fallback
> > allowed to TLS v1.0 but not lower. Even then, certificates should use at
> > least SHA256, preferably SHA512; SHA1 is no longer considered secure. I
> > don't recall offhand which ciphers are considered secure, but there
> > aren't very many of them.
> >
> >
> Agree. Ignite currently supports TLS. Does anyone know which version of TLS
> we support?
>
Re: what is "communication encryption"?
Posted by Dmitriy Setrakyan <ds...@apache.org>.
On Wed, Sep 30, 2015 at 12:18 PM, Branko Čibej <br...@apache.org> wrote:
> On 30.09.2015 11:18, Nikolay Tikhonov wrote:
> > SslContextFactory allows to set different encryption protocols (by
> default
> > TLS). I think that just "ssl" confuses users. Might be "ssl\tls=off" more
> > acceptable?
>
> SSL is one (rather old) specification of Transport Layer Security (TLS).
> These days, you shouldn't be using any version of the SSL protocol; they
> all have unfixable security holes.
>
> To be moderately safe, you should implement TLS v1.2 with fallback
> allowed to TLS v1.0 but not lower. Even then, certificates should use at
> least SHA256, preferably SHA512; SHA1 is no longer considered secure. I
> don't recall offhand which ciphers are considered secure, but there
> aren't very many of them.
>
>
Agree. Ignite currently supports TLS. Does anyone know which version of TLS
we support?
Re: what is "communication encryption"?
Posted by Branko Čibej <br...@apache.org>.
On 30.09.2015 11:18, Nikolay Tikhonov wrote:
> SslContextFactory allows to set different encryption protocols (by default
> TLS). I think that just "ssl" confuses users. Might be "ssl\tls=off" more
> acceptable?
SSL is one (rather old) specification of Transport Layer Security (TLS).
These days, you shouldn't be using any version of the SSL protocol; they
all have unfixable security holes.
To be moderately safe, you should implement TLS v1.2 with fallback
allowed to TLS v1.0 but not lower. Even then, certificates should use at
least SHA256, preferably SHA512; SHA1 is no longer considered secure. I
don't recall offhand which ciphers are considered secure, but there
aren't very many of them.
-- Brane
> On Wed, Sep 30, 2015 at 11:53 AM, Dmitriy Setrakyan <ds...@apache.org>
> wrote:
>
>> On Wed, Sep 30, 2015 at 10:18 AM, Alexey Goncharuk <
>> alexey.goncharuk@gmail.com> wrote:
>>
>>> Given that encryption is enabled by setting SslContextFactory, I believe
>>> that SSL is the only option. I am +1 for changing the output.
>>>
>> I changed it and committed to master.
>>
>>
>>> 2015-09-30 10:21 GMT+03:00 Dmitriy Setrakyan <ds...@apache.org>:
>>>
>>>> On Wed, Sep 30, 2015 at 8:01 AM, Sergey Kozlov <sk...@gridgain.com>
>>>> wrote:
>>>>
>>>>> On Wed, Sep 30, 2015 at 4:51 AM, Dmitriy Setrakyan <
>>>> dsetrakyan@apache.org>
>>>>> wrote:
>>>>>
>>>>>> I got the following printout on 1.4 startup:
>>>>>> ---------
>>>>>> Security status [authentication=off, communication encryption=off]
>>>>>> ---------
>>>>>>
>>>>>> Do we mean SSL by "communication encryption"? If yes, shouldn't we
>>> just
>>>>> say
>>>>>> "ssl=off"?
>>>>>
>>>>>> D.
>>>>>>
>>>>> Yes, in that case communication encryption is SSL
>>>>>
>>>> Do we have another case? If not, let's rename to "ssl", shorter and to
>>> the
>>>> point. I think this can be done directly in the master. Any objections?
>>>>
>>>>> --
>>>>> Sergey Kozlov
>>>>>
Re: what is "communication encryption"?
Posted by Nikolay Tikhonov <nt...@gridgain.com>.
SslContextFactory allows to set different encryption protocols (by default
TLS). I think that just "ssl" confuses users. Might be "ssl\tls=off" more
acceptable?
On Wed, Sep 30, 2015 at 11:53 AM, Dmitriy Setrakyan <ds...@apache.org>
wrote:
> On Wed, Sep 30, 2015 at 10:18 AM, Alexey Goncharuk <
> alexey.goncharuk@gmail.com> wrote:
>
> > Given that encryption is enabled by setting SslContextFactory, I believe
> > that SSL is the only option. I am +1 for changing the output.
> >
>
> I changed it and committed to master.
>
>
> >
> > 2015-09-30 10:21 GMT+03:00 Dmitriy Setrakyan <ds...@apache.org>:
> >
> > > On Wed, Sep 30, 2015 at 8:01 AM, Sergey Kozlov <sk...@gridgain.com>
> > > wrote:
> > >
> > > > On Wed, Sep 30, 2015 at 4:51 AM, Dmitriy Setrakyan <
> > > dsetrakyan@apache.org>
> > > > wrote:
> > > >
> > > > > I got the following printout on 1.4 startup:
> > > > > ---------
> > > > > Security status [authentication=off, communication encryption=off]
> > > > > ---------
> > > > >
> > > > > Do we mean SSL by "communication encryption"? If yes, shouldn't we
> > just
> > > > say
> > > > > "ssl=off"?
> > > >
> > > >
> > > > > D.
> > > > >
> > > >
> > > > Yes, in that case communication encryption is SSL
> > > >
> > >
> > > Do we have another case? If not, let's rename to "ssl", shorter and to
> > the
> > > point. I think this can be done directly in the master. Any objections?
> > >
> > > >
> > >
> > > >
> > > > --
> > > > Sergey Kozlov
> > > >
> > >
> >
>
Re: what is "communication encryption"?
Posted by Dmitriy Setrakyan <ds...@apache.org>.
On Wed, Sep 30, 2015 at 10:18 AM, Alexey Goncharuk <
alexey.goncharuk@gmail.com> wrote:
> Given that encryption is enabled by setting SslContextFactory, I believe
> that SSL is the only option. I am +1 for changing the output.
>
I changed it and committed to master.
>
> 2015-09-30 10:21 GMT+03:00 Dmitriy Setrakyan <ds...@apache.org>:
>
> > On Wed, Sep 30, 2015 at 8:01 AM, Sergey Kozlov <sk...@gridgain.com>
> > wrote:
> >
> > > On Wed, Sep 30, 2015 at 4:51 AM, Dmitriy Setrakyan <
> > dsetrakyan@apache.org>
> > > wrote:
> > >
> > > > I got the following printout on 1.4 startup:
> > > > ---------
> > > > Security status [authentication=off, communication encryption=off]
> > > > ---------
> > > >
> > > > Do we mean SSL by "communication encryption"? If yes, shouldn't we
> just
> > > say
> > > > "ssl=off"?
> > >
> > >
> > > > D.
> > > >
> > >
> > > Yes, in that case communication encryption is SSL
> > >
> >
> > Do we have another case? If not, let's rename to "ssl", shorter and to
> the
> > point. I think this can be done directly in the master. Any objections?
> >
> > >
> >
> > >
> > > --
> > > Sergey Kozlov
> > >
> >
>
Re: what is "communication encryption"?
Posted by Alexey Goncharuk <al...@gmail.com>.
Given that encryption is enabled by setting SslContextFactory, I believe
that SSL is the only option. I am +1 for changing the output.
2015-09-30 10:21 GMT+03:00 Dmitriy Setrakyan <ds...@apache.org>:
> On Wed, Sep 30, 2015 at 8:01 AM, Sergey Kozlov <sk...@gridgain.com>
> wrote:
>
> > On Wed, Sep 30, 2015 at 4:51 AM, Dmitriy Setrakyan <
> dsetrakyan@apache.org>
> > wrote:
> >
> > > I got the following printout on 1.4 startup:
> > > ---------
> > > Security status [authentication=off, communication encryption=off]
> > > ---------
> > >
> > > Do we mean SSL by "communication encryption"? If yes, shouldn't we just
> > say
> > > "ssl=off"?
> >
> >
> > > D.
> > >
> >
> > Yes, in that case communication encryption is SSL
> >
>
> Do we have another case? If not, let's rename to "ssl", shorter and to the
> point. I think this can be done directly in the master. Any objections?
>
> >
>
> >
> > --
> > Sergey Kozlov
> >
>
Re: what is "communication encryption"?
Posted by Dmitriy Setrakyan <ds...@apache.org>.
On Wed, Sep 30, 2015 at 8:01 AM, Sergey Kozlov <sk...@gridgain.com> wrote:
> On Wed, Sep 30, 2015 at 4:51 AM, Dmitriy Setrakyan <ds...@apache.org>
> wrote:
>
> > I got the following printout on 1.4 startup:
> > ---------
> > Security status [authentication=off, communication encryption=off]
> > ---------
> >
> > Do we mean SSL by "communication encryption"? If yes, shouldn't we just
> say
> > "ssl=off"?
>
>
> > D.
> >
>
> Yes, in that case communication encryption is SSL
>
Do we have another case? If not, let's rename to "ssl", shorter and to the
point. I think this can be done directly in the master. Any objections?
>
>
> --
> Sergey Kozlov
>
Re: what is "communication encryption"?
Posted by Sergey Kozlov <sk...@gridgain.com>.
On Wed, Sep 30, 2015 at 4:51 AM, Dmitriy Setrakyan <ds...@apache.org>
wrote:
> I got the following printout on 1.4 startup:
> ---------
> Security status [authentication=off, communication encryption=off]
> ---------
>
> Do we mean SSL by "communication encryption"? If yes, shouldn't we just say
> "ssl=off"?
>
> D.
>
Yes, in that case communication encryption is SSL
--
Sergey Kozlov