Based on the review I am amending the proposal as follows: - Removing the proposed new property 'ssl-use-default-provider' - Add an ability for GEODE to use default SSLContext
This way users can choose between whether to use default security context or provide ssl-* parameters to configure it as per their needs. In the earlier proposal a SecuritContext is initialized from a TrustManagerFactory that is initialized with 'null' keystore, so it makes sense to not configure a context and use a default one when requested. How does using a default SSLContext can fix GEODE-5338 (CA or KEY rotation)? When users want to use a default context, it can be either system default or a custom provider (like one in earlier proposal). If no custom provider is added then default context reads CAs from JDK installed location. I would like to also get consensus on defaulting GEODE's behavior to always use default SSL context instead of introducing a new parameter 'ssl-use-default-sslcontext'. If user's have specified any existing ssl-* props then the current implementation is exercised (ie to configure the context as per provided properties). Sai On Wed, Aug 1, 2018 at 3:02 PM Sai Boorlagadda <sai_boorlaga...@apache.org> wrote: > All, > > > GEODE-5338[1], is a feature request to support CA & KEY rotation on the > client application. I am proposing a solution[2] to add a new SSL property ( > *ssl-use-default-provider*) to let Geode use default security > provider[3] (either JDK provided provider or a custom provider) to load and > manage key and trust stores. > > > I have submitted a PR[4] with the proposed change and a distributed test > to showcase clients using a custom provider. Looking for feedback on the > proposal and the PR as well. > > > You can find details about the proposal on the wiki[3]. > > [1] https://issues.apache.org/jira/browse/GEODE-5338 > [2] > https://cwiki.apache.org/confluence/display/GEODE/Proposal+for+supporting+custom+java.security.Provider > [3] https://docs.oracle.com/javase/8/docs/api/java/security/Provider.html > [4] https://github.com/apache/geode/pull/2244 >
