-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP]Feat: support TLS configuration in broker/client #166
base: main
Are you sure you want to change the base?
Conversation
src/groups/mqb/mqbcfg/mqbcfg.xsd
Outdated
Use the new NTF based TCP transport library instead of | ||
the existing one based on BTE | ||
tls.................: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possible to rename this flag to useTls
similar to useNtf
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah useTls
is probably better. Also, should this field go inside TlsConfig
complex type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah
useTls
is probably better. Also, should this field go insideTlsConfig
complex type?
It's a good question.
We have several possibilities.
- Current structure,
useTls
andtlsConfig
settings are placed in different paths. useTls
is a part oftlsConfig
.useTls
is not a part oftlsConfig
, but they both are placed near each other inTcpInterfaceConfig
.- Implicit approach: no
useTls
flag, optionaltlsConfig
presence is a marker that TLS should be used.
2 and 3 are good for me.
80a0466
to
b4f51ab
Compare
src/groups/mqb/mqbcfg/mqbcfg.xsd
Outdated
<sequence> | ||
<element name='certificateAuthority' type='string'/> | ||
<element name='certificate' type='string'/> | ||
<element name='key' type='string'/> | ||
</sequence> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should give ourselves some room to specify the exact protocol, in case we want to specific exact versions of the TLS protocol that we want
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some comments.
src/groups/mqb/mqbcfg/mqbcfg.xsd
Outdated
@@ -97,6 +98,7 @@ | |||
<element name='plugins' type='tns:Plugins'/> | |||
<element name='messagePropertiesV2' type='tns:MessagePropertiesV2'/> | |||
<element name='configureStream' type='boolean' default='false'/> | |||
<element name="tls" type='tns:TlsConfig' minOccurs='0'/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May want to call it tlsConfig
or tlsCfg
.
More importantly, should this field go inside networkInterfaces
or tcpInterface
, since it is transport-related?
src/groups/mqb/mqbcfg/mqbcfg.xsd
Outdated
Use the new NTF based TCP transport library instead of | ||
the existing one based on BTE | ||
tls.................: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah useTls
is probably better. Also, should this field go inside TlsConfig
complex type?
b4f51ab
to
497427d
Compare
Signed-off-by: Evgeny Malygin <emalygin@bloomberg.net>
Signed-off-by: Evgeny Malygin <emalygin@bloomberg.net>
497427d
to
6ff1b8c
Compare
A path to the FILE, containing the private key that the broker uses | ||
to read the certificate. | ||
version..............: | ||
Protocol version. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would be good to give an example of what's expected here e.g. "TLS1.2"
from the point of view of the server you might want to allow a set of versions or at least version 1.2 or greater.
It's good to spec out exactly what this parameter means
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@willhoy we plan to use a list of versions indeed
No description provided.