+1 to deprecating and removing SECURITY_UDP_DHALGO. The current
implementation is a non-thread-safe hack that would require extensive work
to "fix". It fails EVERY time we run mass test run. I'd prefer to see us
embrace DTLS as a standard.
On Fri, Feb 28, 2020 at 11:43 AM Bill Burcham
wrote:
> I
>
> @Dan, are you thinking that secured intra-cluster communication needs to
> be deprecated as a whole?
>
> Exactly. We shouldn't be left with "partially secure" intra-cluster
communication, where some stuff goes over TLS and some is plain text.
Setting ssl-enabled-components=cluster without setti
+1 to deprecating this feature in 1.12
As to whether we should remove this feature in a minor release, I think that,
as Alexander pointed out, it hinges on the question of whether we perceive
there to be some security issue in the feature’s implementation.
This statement from the proposal shoul
I am not sure I am following the argument for removal in a minor version.
Let's expand the argument and make sure we are all basing this on the same
assumptions:
Java has removed insecure encryption algorithms in patch releases. This was
presumably done because it's really fixing a vulnerability,
I'm back tracking on my suggestion... Got stuck on the "removal" part.
+1 -> for deprecation for said feature in 1.12
-1 -> for removal until alternative/equivalent replacement has been
added (or major version release -- which ever comes first)
@Dan, are you thinking that secured intra-cluste
I don’t think regressed is the right word. There was an effort to harden our
udp p2p traffic using encryption based on a DH key exchange. I’m not clear on
how much that approach actually improved the security of data in motion. And I
don’t believe it saw much if any use in practice.
Anthony
I think that if TCP connections are secured and UDP connections are not,
then we've regressed in our security.
Is there a way that we could use DTLS?
--Udo
On 3/2/20 10:21 AM, Dan Smith wrote:
Should we deprecate cluster ssl as well? Cluster ssl without udp encryption
means that not all P2P t
Should we deprecate cluster ssl as well? Cluster ssl without udp encryption
means that not all P2P traffic will be encrypted. If we don't want to
support P2P encryption, it seems like we should deprecate both?
-Dan
On Fri, Feb 28, 2020 at 1:40 PM Udo Kohlmeyer wrote:
> Yes, the proposal was dep
Yes, the proposal was deprecation notice in 1.12 and remove in 1.13..
That does not leave users much time to react. So if we remove in 1.14,
then users have at least 2 release cycles before we do it.
--Udo
On 2/28/20 1:11 PM, Owen Nichols wrote:
Udo, are you proposing to deprecate in 1.12 an
Udo, are you proposing to deprecate in 1.12 and remove in 1.14?
> On Feb 28, 2020, at 1:03 PM, Udo Kohlmeyer wrote:
>
> +1 to adding the deprecation. But I would prefer that we give users more
> notice than 3 months.
>
> maybe we deprecate it in 1.14
>
> --Udo
>
> On 2/28/20 1:00 PM, Ernest
+1 to adding the deprecation. But I would prefer that we give users more
notice than 3 months.
maybe we deprecate it in 1.14
--Udo
On 2/28/20 1:00 PM, Ernest Burghardt wrote:
+1
seems reasonable to do this for 1.12 and be ahead of the game, @Owen would
you please spawn that as a separate rel
+1
On 2/28/20, 11:43 AM, "Bill Burcham" wrote:
I propose we deprecate Geode’s proprietary UDP message privacy algorithm
based on the Diffie-Hellman key exchange protocol. This would deprecate:
ConfigurationProperties.SECURITY_UDP_DHALGO
String DistributionConfig.getSec
+1
seems reasonable to do this for 1.12 and be ahead of the game, @Owen would
you please spawn that as a separate release 1.12 thread? thanks, eB
On Fri, Feb 28, 2020 at 11:56 AM Owen Nichols wrote:
> +1
>
> We should have done this as soon as SSL/TLS was ready. Better late than
> never!
>
> W
+1
We should have done this as soon as SSL/TLS was ready. Better late than never!
While we normally wait until a major release to remove deprecated stuff, there
is some precedent for removing insecure encryption algorithms sooner (Java has
done this even in patch releases). We should consider
14 matches
Mail list logo
