SNI support for JDBC TLS

classic Classic list List threaded Threaded
4 messages Options
Oliver Cole Oliver Cole
Reply | Threaded
Open this post in threaded view
|

SNI support for JDBC TLS

Hi!

I was pleased to see that the JDBC driver supports TLS[1]. However, after inspecting traffic with Wireshark, it doesn't appear to support Server Name Indication.

My use case is Ignite on Kubrnetes, behind an ingress controller that uses SNI to route connections to services.

I note that the javax.net.ssl libraries do support SNI, but from what I can see those aren't used?
Is SNI support something that would be easy to add, if someone could point me in the right direction?

Oli

ilya.kasnacheev ilya.kasnacheev
Reply | Threaded
Open this post in threaded view
|

Re: SNI support for JDBC TLS

Hello!

Do I understand correctly that you want to have several services use same ingress point, i.e. host and port, to access multiple services in your K8 cluster?

Can you guide me whether this controller will keep SSL on (so that service has to support SSL too) or if it will strip SSL so that service will only need to work with uncompressed stream?

In either case, I'm positive that IgniteJdbcDriver will NOT work, since it is a thick driver that needs to be able to connect to all nodes in the cluster, so it needs to be inside your K8 cluster.

But, there is hope that IgniteJdbcThinDriver might.

Regards,
--
Ilya Kasnacheev


чт, 16 мая 2019 г. в 17:42, Oliver Cole <[hidden email]>:
Hi!

I was pleased to see that the JDBC driver supports TLS[1]. However, after inspecting traffic with Wireshark, it doesn't appear to support Server Name Indication.

My use case is Ignite on Kubrnetes, behind an ingress controller that uses SNI to route connections to services.

I note that the javax.net.ssl libraries do support SNI, but from what I can see those aren't used?
Is SNI support something that would be easy to add, if someone could point me in the right direction?

Oli

Oliver Cole Oliver Cole
Reply | Threaded
Open this post in threaded view
|

Re: SNI support for JDBC TLS

> Do I understand correctly that you want to have several services use same ingress point, i.e. host and port, to access multiple services in your K8 cluster?

That's correct.

> Can you guide me whether this controller will keep SSL on (so that service has to support SSL too) or if it will strip SSL so that service will only need to work with uncompressed stream? In either case, I'm positive that IgniteJdbcDriver will NOT work, since it is a thick driver that needs to be able to connect to all nodes in the cluster, so it needs to be inside your K8 cluster.

I can do either - I hadn't considered the implications yet. However
that is useful info, thanks.

> But, there is hope that IgniteJdbcThinDriver might.

The documented limitations might be a problem in the long-run, but
it's worth trying. I note that the docs don't mention any TLS support
- did you mean there's hope that if TLS was added to the thin driver,
it could also support SNI?

Thanks again,

Oli


On Thu, May 16, 2019 at 5:35 PM Ilya Kasnacheev
<[hidden email]> wrote:

>
> Hello!
>
> Do I understand correctly that you want to have several services use same ingress point, i.e. host and port, to access multiple services in your K8 cluster?
>
> Can you guide me whether this controller will keep SSL on (so that service has to support SSL too) or if it will strip SSL so that service will only need to work with uncompressed stream?
>
> In either case, I'm positive that IgniteJdbcDriver will NOT work, since it is a thick driver that needs to be able to connect to all nodes in the cluster, so it needs to be inside your K8 cluster.
>
> But, there is hope that IgniteJdbcThinDriver might.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> чт, 16 мая 2019 г. в 17:42, Oliver Cole <[hidden email]>:
>>
>> Hi!
>>
>> I was pleased to see that the JDBC driver supports TLS[1]. However, after inspecting traffic with Wireshark, it doesn't appear to support Server Name Indication.
>>
>> My use case is Ignite on Kubrnetes, behind an ingress controller that uses SNI to route connections to services.
>>
>> I note that the javax.net.ssl libraries do support SNI, but from what I can see those aren't used?
>> Is SNI support something that would be easy to add, if someone could point me in the right direction?
>>
>> Oli
>>
>> [1] https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/IgniteJdbcDriver.html
ilya.kasnacheev ilya.kasnacheev
Reply | Threaded
Open this post in threaded view
|

Re: SNI support for JDBC TLS

Hello!

TLS is supported by thin client:

Moreover, with sslFactory parameter you can specify SSL factory class, which can be customized to initialize SNI properly. Can you try it with SSL factory, see if you can get SNI to work?

Regards,
--
Ilya Kasnacheev


чт, 16 мая 2019 г. в 19:45, Oliver Cole <[hidden email]>:
> Do I understand correctly that you want to have several services use same ingress point, i.e. host and port, to access multiple services in your K8 cluster?

That's correct.

> Can you guide me whether this controller will keep SSL on (so that service has to support SSL too) or if it will strip SSL so that service will only need to work with uncompressed stream? In either case, I'm positive that IgniteJdbcDriver will NOT work, since it is a thick driver that needs to be able to connect to all nodes in the cluster, so it needs to be inside your K8 cluster.

I can do either - I hadn't considered the implications yet. However
that is useful info, thanks.

> But, there is hope that IgniteJdbcThinDriver might.

The documented limitations might be a problem in the long-run, but
it's worth trying. I note that the docs don't mention any TLS support
- did you mean there's hope that if TLS was added to the thin driver,
it could also support SNI?

Thanks again,

Oli


On Thu, May 16, 2019 at 5:35 PM Ilya Kasnacheev
<[hidden email]> wrote:
>
> Hello!
>
> Do I understand correctly that you want to have several services use same ingress point, i.e. host and port, to access multiple services in your K8 cluster?
>
> Can you guide me whether this controller will keep SSL on (so that service has to support SSL too) or if it will strip SSL so that service will only need to work with uncompressed stream?
>
> In either case, I'm positive that IgniteJdbcDriver will NOT work, since it is a thick driver that needs to be able to connect to all nodes in the cluster, so it needs to be inside your K8 cluster.
>
> But, there is hope that IgniteJdbcThinDriver might.
>
> Regards,
> --
> Ilya Kasnacheev
>
>
> чт, 16 мая 2019 г. в 17:42, Oliver Cole <[hidden email]>:
>>
>> Hi!
>>
>> I was pleased to see that the JDBC driver supports TLS[1]. However, after inspecting traffic with Wireshark, it doesn't appear to support Server Name Indication.
>>
>> My use case is Ignite on Kubrnetes, behind an ingress controller that uses SNI to route connections to services.
>>
>> I note that the javax.net.ssl libraries do support SNI, but from what I can see those aren't used?
>> Is SNI support something that would be easy to add, if someone could point me in the right direction?
>>
>> Oli
>>
>> [1] https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/IgniteJdbcDriver.html