+1
On 3/18/20, 4:13 PM, "Dan Smith" <dsm...@pivotal.io> wrote:
One addendum to this proposal:
This proposed method of configuring a SNI proxy server requires that the
client sends the SNI hostname as part of the TLS handshake. In the previous
proposal we suggested it would only be sent if a SNI Proxy is configured.
Now we propose that a geode client will *always* send the SNI hostname when
it initiates a TLS connection to a locator or server.
This will help us implement the SniSocketFactory. It may also help with
other use cases such as presenting different SSL certificates for different
hostnames, which is the original reason this SNI hostname is part of TLS.
The SSLParameterExtension will still take precedence, so I think this
should not break the original use case for SSLParameterExtension [1]
-Dan
[1]
https://lists.apache.org/thread.html/0e08a5d0a480115ace6412e16ad45023adf0c29406ec2095a4d19d30%40%3Cdev.geode.apache.org%3E
On Mon, Mar 16, 2020 at 3:33 PM Dan Smith <dsm...@pivotal.io> wrote:
> Hi all,
>
> A new RFC is up for this feature
>
https://cwiki.apache.org/confluence/display/GEODE/Client+side+configuration+for+a+SNI+proxy.
>
>
> Please review and comment by this Friday, 3/20/2020.
>
> This hopefully addresses some of the concerns with the previous RFC for
> this feature. The new proposal is for a more general SocketFactory
property
> that users can implement, along the lines of what Jake and Owen suggested.
>
> -Dan
>
