You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ignite.apache.org by Oliver Cole <ol...@gmail.com> on 2019/05/16 14:41:51 UTC

SNI support for JDBC TLS

Hi!

I was pleased to see that the JDBC driver supports TLS[1]. However, after
inspecting traffic with Wireshark, it doesn't appear to support Server Name
Indication.

My use case is Ignite on Kubrnetes, behind an ingress controller that uses
SNI to route connections to services.

I note that the javax.net.ssl libraries do support SNI, but from what I can
see those aren't used?
Is SNI support something that would be easy to add, if someone could point
me in the right direction?

Oli

[1]
https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/IgniteJdbcDriver.html

Re: SNI support for JDBC TLS

Posted by Ilya Kasnacheev <il...@gmail.com>.

Hello!

TLS is supported by thin client:
https://apacheignite-sql.readme.io/docs/jdbc-driver#jdbc-thin-driver

Moreover, with sslFactory parameter you can specify SSL factory class,
which can be customized to initialize SNI properly. Can you try it with SSL
factory, see if you can get SNI to work?

Regards,
-- 
Ilya Kasnacheev


чт, 16 мая 2019 г. в 19:45, Oliver Cole <ol...@gmail.com>:

> > Do I understand correctly that you want to have several services use
> same ingress point, i.e. host and port, to access multiple services in your
> K8 cluster?
>
> That's correct.
>
> > Can you guide me whether this controller will keep SSL on (so that
> service has to support SSL too) or if it will strip SSL so that service
> will only need to work with uncompressed stream? In either case, I'm
> positive that IgniteJdbcDriver will NOT work, since it is a thick driver
> that needs to be able to connect to all nodes in the cluster, so it needs
> to be inside your K8 cluster.
>
> I can do either - I hadn't considered the implications yet. However
> that is useful info, thanks.
>
> > But, there is hope that IgniteJdbcThinDriver might.
>
> The documented limitations might be a problem in the long-run, but
> it's worth trying. I note that the docs don't mention any TLS support
> - did you mean there's hope that if TLS was added to the thin driver,
> it could also support SNI?
>
> Thanks again,
>
> Oli
>
>
> On Thu, May 16, 2019 at 5:35 PM Ilya Kasnacheev
> <il...@gmail.com> wrote:
> >
> > Hello!
> >
> > Do I understand correctly that you want to have several services use
> same ingress point, i.e. host and port, to access multiple services in your
> K8 cluster?
> >
> > Can you guide me whether this controller will keep SSL on (so that
> service has to support SSL too) or if it will strip SSL so that service
> will only need to work with uncompressed stream?
> >
> > In either case, I'm positive that IgniteJdbcDriver will NOT work, since
> it is a thick driver that needs to be able to connect to all nodes in the
> cluster, so it needs to be inside your K8 cluster.
> >
> > But, there is hope that IgniteJdbcThinDriver might.
> >
> > Regards,
> > --
> > Ilya Kasnacheev
> >
> >
> > чт, 16 мая 2019 г. в 17:42, Oliver Cole <ol...@gmail.com>:
> >>
> >> Hi!
> >>
> >> I was pleased to see that the JDBC driver supports TLS[1]. However,
> after inspecting traffic with Wireshark, it doesn't appear to support
> Server Name Indication.
> >>
> >> My use case is Ignite on Kubrnetes, behind an ingress controller that
> uses SNI to route connections to services.
> >>
> >> I note that the javax.net.ssl libraries do support SNI, but from what I
> can see those aren't used?
> >> Is SNI support something that would be easy to add, if someone could
> point me in the right direction?
> >>
> >> Oli
> >>
> >> [1]
> https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/IgniteJdbcDriver.html
>

Re: SNI support for JDBC TLS

Posted by Oliver Cole <ol...@gmail.com>.

> Do I understand correctly that you want to have several services use same ingress point, i.e. host and port, to access multiple services in your K8 cluster?

That's correct.

> Can you guide me whether this controller will keep SSL on (so that service has to support SSL too) or if it will strip SSL so that service will only need to work with uncompressed stream? In either case, I'm positive that IgniteJdbcDriver will NOT work, since it is a thick driver that needs to be able to connect to all nodes in the cluster, so it needs to be inside your K8 cluster.

I can do either - I hadn't considered the implications yet. However
that is useful info, thanks.

> But, there is hope that IgniteJdbcThinDriver might.

The documented limitations might be a problem in the long-run, but
it's worth trying. I note that the docs don't mention any TLS support
- did you mean there's hope that if TLS was added to the thin driver,
it could also support SNI?

Thanks again,

Oli


On Thu, May 16, 2019 at 5:35 PM Ilya Kasnacheev
<il...@gmail.com> wrote:
>
> Hello!
>
> Do I understand correctly that you want to have several services use same ingress point, i.e. host and port, to access multiple services in your K8 cluster?
>
> Can you guide me whether this controller will keep SSL on (so that service has to support SSL too) or if it will strip SSL so that service will only need to work with uncompressed stream?
>
> In either case, I'm positive that IgniteJdbcDriver will NOT work, since it is a thick driver that needs to be able to connect to all nodes in the cluster, so it needs to be inside your K8 cluster.
>
> But, there is hope that IgniteJdbcThinDriver might.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> чт, 16 мая 2019 г. в 17:42, Oliver Cole <ol...@gmail.com>:
>>
>> Hi!
>>
>> I was pleased to see that the JDBC driver supports TLS[1]. However, after inspecting traffic with Wireshark, it doesn't appear to support Server Name Indication.
>>
>> My use case is Ignite on Kubrnetes, behind an ingress controller that uses SNI to route connections to services.
>>
>> I note that the javax.net.ssl libraries do support SNI, but from what I can see those aren't used?
>> Is SNI support something that would be easy to add, if someone could point me in the right direction?
>>
>> Oli
>>
>> [1] https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/IgniteJdbcDriver.html

Re: SNI support for JDBC TLS

Posted by Ilya Kasnacheev <il...@gmail.com>.

Hello!

Do I understand correctly that you want to have several services use same
ingress point, i.e. host and port, to access multiple services in your K8
cluster?

Can you guide me whether this controller will keep SSL on (so that service
has to support SSL too) or if it will strip SSL so that service will only
need to work with uncompressed stream?

In either case, I'm positive that IgniteJdbcDriver will NOT work, since it
is a thick driver that needs to be able to connect to all nodes in the
cluster, so it needs to be inside your K8 cluster.

But, there is hope that IgniteJdbcThinDriver might.

Regards,
-- 
Ilya Kasnacheev


чт, 16 мая 2019 г. в 17:42, Oliver Cole <ol...@gmail.com>:

> Hi!
>
> I was pleased to see that the JDBC driver supports TLS[1]. However, after
> inspecting traffic with Wireshark, it doesn't appear to support Server Name
> Indication.
>
> My use case is Ignite on Kubrnetes, behind an ingress controller that uses
> SNI to route connections to services.
>
> I note that the javax.net.ssl libraries do support SNI, but from what I
> can see those aren't used?
> Is SNI support something that would be easy to add, if someone could point
> me in the right direction?
>
> Oli
>
> [1]
> https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/IgniteJdbcDriver.html
>