-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More parameters for tls layer in protocols #63985
base: master
Are you sure you want to change the base?
More parameters for tls layer in protocols #63985
Conversation
This is an automated comment for commit 983fa64 with description of existing statuses. It's updated for the latest CI running ❌ Click here to open a full report in a separate page
Successful checks
|
, stack_data(stack_data_) | ||
{ | ||
#if USE_SSL | ||
params.privateKeyFile = config.getString(prefix + SSLManager::CFG_PRIV_KEY_FILE, ""); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The same logic as in Poco::Net::SSLManager::initDefaultContext method.
Possible that better use settings for default context everywhere as default (as for caLocation), but this breaks backwards compatibility for everyone who already uses tls protocol.
@@ -258,6 +258,40 @@ namespace Net | |||
static const std::string CFG_SERVER_PREFIX; | |||
static const std::string CFG_CLIENT_PREFIX; | |||
|
|||
static const std::string CFG_PRIV_KEY_FILE; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move from private to public section to use same names in TLSHandler.
@@ -84,6 +101,49 @@ def test_connections(): | |||
|
|||
assert execute_query_https(server.ip_address, 8444, "SELECT 1") == "1\n" | |||
|
|||
warnings.filterwarnings("ignore", category=DeprecationWarning) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suppress python warning about deprecated tls versions (TLSv1_1 and older)
@@ -84,6 +101,49 @@ def test_connections(): | |||
|
|||
assert execute_query_https(server.ip_address, 8444, "SELECT 1") == "1\n" | |||
|
|||
warnings.filterwarnings("ignore", category=DeprecationWarning) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't check how OpenSSL works, only that it gets new parameters.
Can't understand, what wrong with style in marked lines. UPD. Tabs instead of spaces... |
d2fa977
to
e5fe443
Compare
5bf6534
to
a946f4f
Compare
src/Server/CertificateReloader.cpp
Outdated
auto* ctx = Poco::Net::SSLManager::instance().defaultServerContext()->sslContext(); | ||
SSL_CTX_set_cert_cb(ctx, callSetCertificate, nullptr); | ||
init_was_not_made = false; | ||
SSL_CTX_set_cert_cb(ctx, callSetCertificate, reinterpret_cast<void *>(pdata)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MultiData object must not moved after creation, so pointer can be passed as callback parameter.
void CertificateReloader::tryReloadAll(const Poco::Util::AbstractConfiguration & config) | ||
{ | ||
std::unique_lock<std::mutex> lock(data_mutex); | ||
for (auto & item : data_index) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Default server context is keeped here with openSSL.server.
as key. Customs contexts - with protocols.<name>.
names.
ac6d792
to
ddad7cf
Compare
ddad7cf
to
983fa64
Compare
Changelog category (leave one):
Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
In composable protocols TLS layer accepted only
certificateFile
andprivateKeyFile
parameters.https://clickhouse.com/docs/en/operations/settings/composable-protocols
This PR adds other parameters:
caConfig
verificationMode
verificationDepth
loadDefaultCAFile
cipherList
/cypherList
requireTLSv1
,requireTLSv1_1
,requireTLSv1_2
dhParamsFile
ecdhCurve
disableProtocols
extendedVerification
preferServerCiphers
For backwards compatibility parameters used only when both
certificateFile
andprivateKeyFile
present,caConfig
by default fromdefaultServerContext
, other parameters empty by default.Also added reusing Context for additional ports instead of recreate on each request and support in CertificateReloader.