You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "rico sec (JIRA)" <ji...@apache.org> on 2008/08/04 06:43:44 UTC
[jira] Created: (THRIFT-106) TSSLServerSocket
TSSLServerSocket
----------------
Key: THRIFT-106
URL: https://issues.apache.org/jira/browse/THRIFT-106
Project: Thrift
Issue Type: Improvement
Components: Library (Java)
Environment: n/a
Reporter: rico sec
SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
if thrift had one ...that would be very good.
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Jeremy Hanna (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12921511#action_12921511 ]
Jeremy Hanna commented on THRIFT-106:
-------------------------------------
Bryan: The code looks good and I applied against thrift trunk and ran the new tutorial - JavaClient secure - works great. So looks good to me.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch, TSSLServerSocket-TSSLSocket-and-factory.patch, Updated-tutorial-with-ssl-sample.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Jeremy Hanna (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12910337#action_12910337 ]
Jeremy Hanna commented on THRIFT-106:
-------------------------------------
what is the status of this ticket - is there something that needs updating before the patch can be used or is there something wrong with the approach or ???
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Eric Faccer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Faccer updated THRIFT-106:
-------------------------------
Attachment: (was: TSSLSocket.java)
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "David Reiss (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Reiss updated THRIFT-106:
-------------------------------
Attachment: java-ssl.patch
Here it is. It looks like there was never a client implementation. This underwent basic testing, but was never used in production.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "David Reiss (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12624907#action_12624907 ]
David Reiss commented on THRIFT-106:
------------------------------------
Am I the only one who can't see the attachments in JIRA?
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Ian Pye (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ian Pye updated THRIFT-106:
---------------------------
Attachment: ssl.patch
Here's a patch I've been working on which implements TSSLSocket and TSSLServerSocket classes in c++ -- I wasn't quite sure whether to send it here or start a new issue in the C++ category.
All of the IO is done via OpenSSL's BIO abstraction.
Currently both classes expect to be given .pem files which contain the X509 certs to use. TSSLServerSocket does not handle encrypted private keys, but it would be fairly easy to add this feature in.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (THRIFT-106) TSSLServerSocket
Posted by "Bryan Duxbury (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Duxbury closed THRIFT-106.
--------------------------------
Resolution: Fixed
Fix Version/s: 0.6
Assignee: Nirmal Ranganathan
I just committed this patch. Thanks for all the hard work, Nirmal!
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Assignee: Nirmal Ranganathan
> Priority: Trivial
> Fix For: 0.6
>
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch, TSSLTrasportFactory.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "David Reiss (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12635621#action_12635621 ]
David Reiss commented on THRIFT-106:
------------------------------------
Thanks for the additional info. The big negative of OpenSSL in my mind is the so-called "obnoxious advertising clause", which requires that products acknowledge OpenSSL that in any advertising material that mentions features provided by OpenSSL. However, I think ease of coding trumps that. Would you mind creating a separate JIRA issue for the C++ implementation?
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: (was: TSSLTransportFactory-and-sample-keys.patch)
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, ssl.patch, TSSLTransportFactory-and-sample-keys.patch, Updated-tutuorial-with-ssl-sample.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: (was: Updated-tutorial-with-ssl-sample.patch)
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Eric Faccer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Faccer updated THRIFT-106:
-------------------------------
Attachment: (was: TSSLServerSocket.java)
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Eric Faccer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Faccer updated THRIFT-106:
-------------------------------
Comment: was deleted
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: TSSLServerSocket.java, TSSLSocket.java
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Bryan Duxbury (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12921562#action_12921562 ]
Bryan Duxbury commented on THRIFT-106:
--------------------------------------
A few comments:
* The spacing is off. We use 2-space indentation.
* The addition of getServerSocket to TServerSocket seems unnecessary, since it's not used anywhere.
* Why override TSocket.open() at all in TSSLSocket? TSocket throws an exception if it's already open, but TSSLSocket will silently continue. Is this a necessary/intended semantic change? If we don't need that change, do we need a TSSLSocket at all?
* TSSLServerSocket also seems unnecessary.
* Would it be possible to get a separate unit test for TSSLSocketFactory? Maybe just set up a simple server-client pair and push some bytes around? The tutorial stuff is great, but it's not going to be part of our standard test suite, so we could break it by accident.
* Hate to sounds pedantic, but do you mind using ifs with curly braces, even though the then clause is single-line? Just for readability/consistency.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch, TSSLServerSocket-TSSLSocket-and-factory.patch, Updated-tutorial-with-ssl-sample.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Ian Pye (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12635510#action_12635510 ]
Ian Pye commented on THRIFT-106:
--------------------------------
Same functionality, totally different implementation.
The new patch uses OpenSSL entirely and does not use gnutls at all.
Also, Instead of subclassing the T*Socket classes, this is built directly up from the T*Transport interfaces.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Jeremy Hanna (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918678#action_12918678 ]
Jeremy Hanna commented on THRIFT-106:
-------------------------------------
David - are you able to post the experimental Java implementation - we're looking to start looking at implementing it here. Would be great to have a starting point.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (THRIFT-106) TSSLServerSocket
Posted by "Eric Faccer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12624580#action_12624580 ]
ericfaccer edited comment on THRIFT-106 at 8/22/08 6:51 AM:
-------------------------------------------------------------
Note to Bryan Duxbury: This code actually works fine. ...The issue was getting keys mixed up. Will cleanup/re-up it
was (Author: ericfaccer):
Note to Bryan Duxbury: This code actually works fine. ...The issue was getting keys mixed up.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: TSSLTrasportFactory.patch
Consolidated to one patch file and updated based on comments.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch, TSSLTrasportFactory.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Jeremy Hanna (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12910383#action_12910383 ]
Jeremy Hanna commented on THRIFT-106:
-------------------------------------
David - that would great if you wouldn't mind posting it. Thank you.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "James E. King, III (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918684#action_12918684 ]
James E. King, III commented on THRIFT-106:
-------------------------------------------
The patch for Endpoints in THRIFT-66 is being ported to Java. This will provide SSL with self-signed certificate authentication. In fact each service channel can be declared as accessible to unauthenticated or authenticated clients. I know this doesn't help you immediately, but I am working on getting this moved over for discussion and adoption by the devs.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: Updated-tutorial-with-ssl-sample.patch
Sample-keystore-for-tests-and-tutorial.patch
TSSLServerSocket-TSSLSocket-and-factory.patch
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch, TSSLServerSocket-TSSLSocket-and-factory.patch, Updated-tutorial-with-ssl-sample.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Bryan Duxbury (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Duxbury updated THRIFT-106:
---------------------------------
Priority: Trivial (was: Major)
Issue Type: New Feature (was: Improvement)
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: Updated-tutuorial-with-ssl-sample.patch
TSSLTransportFactory-and-sample-keys.patch
Here's a TSSLTransportFactory that wraps TServerSocket and TSocket with SSL/TLS enabled underlying sockets and server sockets. I've also attached sample self-signed certificates and keys.
This is only a blocking version and doesn't work for TNonBlockingTransport.
The tutorial/java is also updated to show a working example.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, ssl.patch, TSSLTransportFactory-and-sample-keys.patch, Updated-tutuorial-with-ssl-sample.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Bryan Duxbury (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12910340#action_12910340 ]
Bryan Duxbury commented on THRIFT-106:
--------------------------------------
The patch contains nothing but C++ code, so I don't know why it's tagged for java.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Bryan Duxbury (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922176#action_12922176 ]
Bryan Duxbury commented on THRIFT-106:
--------------------------------------
{quote}
bq. The addition of getServerSocket to TServerSocket seems unnecessary, since it's not used anywhere.
bq. I added it for 2 reasons, one is similarity to TSocket.getSocket and the other if anyone want's to override TServerSocket, it would be nice to have the underlying socket. Case in point we would require something like that for Cassandra.
{quote}
OK, that's fine by me.
I think I'd prefer not to have those weak wrapper classes since they offer so little functionality. It doesn't seem particularly useful to change the semantics of isOpen(), so the rest is just an unnecessary class.
Glad to see you wrote a test :)
Just as a side note, it would be slightly more convenient for me if you attached a combined patch instead of several in the future.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch, TSSL-Testcase.patch, TSSLServerSocket-TSSLSocket-and-factory.patch, Updated-tutorial-with-ssl-sample.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922114#action_12922114 ]
Nirmal Ranganathan commented on THRIFT-106:
-------------------------------------------
bq. The spacing is off. We use 2-space indentation.
I'll clean that up.
bq. The addition of getServerSocket to TServerSocket seems unnecessary, since it's not used anywhere.
I added it for 2 reasons, one is similarity to TSocket.getSocket and the other if anyone want's to override TServerSocket, it would be nice to have the underlying socket. Case in point we would require something like that for Cassandra.
bq. Why override TSocket.open() at all in TSSLSocket? TSocket throws an exception if it's already open, but TSSLSocket will silently continue. Is this a necessary/intended semantic change? If we don't need that change, do we need a TSSLSocket at all?
bq. TSSLServerSocket also seems unnecessary.
That was just an idiomatic addition. Since everyone is used to Transport.open(). The override ignores the call if it's already open. I can remove it, if you feel that's unnecessary.
bq. Would it be possible to get a separate unit test for TSSLSocketFactory? Maybe just set up a simple server-client pair and push some bytes around? The tutorial stuff is great, but it's not going to be part of our standard test suite, so we could break it by accident.
Do we require something more than the current TestTSSLSocketFactory that I added? It does use the underlying ServerTestBase for the tests, but uses a TSSLSocket and TSSLServerSocket from the TSSLSocketFactory as a simple client-server pair. Let me know if I misunderstood something there.
bq. Hate to sounds pedantic, but do you mind using ifs with curly braces, even though the then clause is single-line? Just for readability/consistency.
Sure, I'll update it
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch, TSSLServerSocket-TSSLSocket-and-factory.patch, Updated-tutorial-with-ssl-sample.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: (was: TSSL-Testcase.patch)
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Ian Pye (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12635612#action_12635612 ]
Ian Pye commented on THRIFT-106:
--------------------------------
1) I switched to working with openssl because I was having a hard time getting the memory allocation working 100% reliably with gnutls and eventually got fed up with having hard to track down warnings about double free()s and such coming up all the time. I find openssl's BIO abstraction much easier to work with (This may say more about me than about openssl though). Also, just on the basis of my very ad-hoc tests, openssl seems to be faster at setting up a secure connection than gnutls. Other reasons I switched include the popularity of openssl, and the fact this openssl's license is a bit more lax, just requiring citing the use of openssl in the linking source code (I believe).
So, I don't know where you are at with the gnutls implementation and how stable it is, but my general opinion is that openssl is a more mature project which is a lot more fun to code against.
2) My understanding is that gnutls can emulate openssl, but not vice versa. With this emulation going, the two libraries are wire-compatible. One limitation of openssl is that it doesn't support OpenPGP authentication.
3) stunnel compiles against both SSLeay and OpenSSL. So a openssl enable thrift client could talk with a stunnel'd thrift server, and vice versa. But since gnutls can emulate openssl, it should also be able to interoperate with stunnel.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: (was: TSSLTransportFactory-and-sample-keys.patch)
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: (was: Updated-tutuorial-with-ssl-sample.patch)
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "David Reiss (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12910356#action_12910356 ]
David Reiss commented on THRIFT-106:
------------------------------------
I think we have an experimental Java implementation here at Facebook. I can try to get it out if people are interested, but I haven't tried yet because it was never extensively tested and there are no plans to use it in production.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Eric Faccer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Faccer updated THRIFT-106:
-------------------------------
Attachment: TSSLServerSocket.java
Non working
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: TSSLServerSocket.java, TSSLSocket.java
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Eric Faccer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Faccer updated THRIFT-106:
-------------------------------
Attachment: TSSLSocket.java
Not working
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: TSSLServerSocket.java, TSSLSocket.java
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Ian Pye (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ian Pye updated THRIFT-106:
---------------------------
Attachment: ssl.patch
New version of this patch which fixes SSL initialization errors. It also takes some socket settings from TServerSocket.cpp.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: TSSL-Testcase.patch
My bad! I thought I'd attached the test case. Here it is now.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch, TSSL-Testcase.patch, TSSLServerSocket-TSSLSocket-and-factory.patch, Updated-tutorial-with-ssl-sample.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: (was: TSSLServerSocket-TSSLSocket-and-factory.patch)
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Jeremy Hanna (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918762#action_12918762 ]
Jeremy Hanna commented on THRIFT-106:
-------------------------------------
David and James - Thanks!
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (THRIFT-106) TSSLServerSocket
Posted by "Eric Faccer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12624580#action_12624580 ]
ericfaccer edited comment on THRIFT-106 at 8/22/08 6:43 AM:
-------------------------------------------------------------
Note to Bryan Duxbury: This code actually works fine. ...The issue was getting keys mixed up.
was (Author: ericfaccer):
Not working
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: TSSLServerSocket.java, TSSLSocket.java
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Bryan Duxbury (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922622#action_12922622 ]
Bryan Duxbury commented on THRIFT-106:
--------------------------------------
I saw a note in TSSLTransportFactory that TCompactProtocol isn't supported. Is that true? If so, why?
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch, TSSLTrasportFactory.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "David Reiss (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12635543#action_12635543 ]
David Reiss commented on THRIFT-106:
------------------------------------
Would you suggest that we abandon the gnutls implementation in favor of this one then? Are they wire-compatible (or can they be made so)? Are any of these implementations compatible with wrapping a normal Thrift server in stunnel?
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nirmal Ranganathan updated THRIFT-106:
--------------------------------------
Attachment: TSSLTransportFactory-and-sample-keys.patch
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, ssl.patch, TSSLTransportFactory-and-sample-keys.patch, Updated-tutuorial-with-ssl-sample.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (THRIFT-106) TSSLServerSocket
Posted by "Ian Pye (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ian Pye updated THRIFT-106:
---------------------------
Attachment: (was: ssl.patch)
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "David Reiss (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12635502#action_12635502 ]
David Reiss commented on THRIFT-106:
------------------------------------
How does this compare to the gnutls-based patch that you submitted to the old Thrift list?
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Bryan Duxbury (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12624911#action_12624911 ]
Bryan Duxbury commented on THRIFT-106:
--------------------------------------
They were deleted.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: Improvement
> Components: Library (Java)
> Environment: n/a
> Reporter: rico sec
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Nirmal Ranganathan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922210#action_12922210 ]
Nirmal Ranganathan commented on THRIFT-106:
-------------------------------------------
That sounds good. I'll wrap up with the suggested changes (removing TSSLSocket and TSSLServerSocket) and consolidate everything into one patch file. I'll just keep the keystores as a separate patch though.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: java-ssl.patch, Sample-keystore-for-tests-and-tutorial.patch, ssl.patch, TSSL-Testcase.patch, TSSLServerSocket-TSSLSocket-and-factory.patch, Updated-tutorial-with-ssl-sample.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (THRIFT-106) TSSLServerSocket
Posted by "Jeremy Hanna (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12910342#action_12910342 ]
Jeremy Hanna commented on THRIFT-106:
-------------------------------------
Ah right - sorry. I should have looked at the patch itself. So for java, there is no progress, it has to be done from the ground up.
> TSSLServerSocket
> ----------------
>
> Key: THRIFT-106
> URL: https://issues.apache.org/jira/browse/THRIFT-106
> Project: Thrift
> Issue Type: New Feature
> Components: Java - Library
> Environment: n/a
> Reporter: rico sec
> Priority: Trivial
> Attachments: ssl.patch
>
> Original Estimate: 6h
> Remaining Estimate: 6h
>
> SSL Connection w/ autogenerated self signed x509 certs seems to be the state of the art for rpc layers.
> if thrift had one ...that would be very good.
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
> if someone does this pls ping/email me, I will do some testing and write a simple key mgmt utility.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.