-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL support #220
SSL support #220
Conversation
4e35a88
to
177b62f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the patchset!
I don't feel myself very professional around encryption/openssl topics, so, please, take my review as 'something that a random guy can add here'.
Everything looks meaningful, it is what I can say :)
I left several questions/doubts, they're based on the ssl module documentation. Also a few stylistic comments.
The patchset looks good to me. Please, glance on my comments, but they all looks as non-critical and can be passed over.
177b62f
to
090f2d2
Compare
Issue in WSL actions repository: Vampire/setup-wsl#28 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems awesome. Thank you! I have left several minor comments.
Regarding WSL: we may use WSL 1 as a workaround: https://github.com/tarantool/tarantool-python/actions/runs/2509312684 - name: Install test requirements
run: pip install -r requirements-test.txt
+ - run: wsl --set-default-version 1
+
- name: Setup WSL for tarantool
uses: Vampire/setup-wsl@v1
with:
|
488693a
to
ae172fc
Compare
It works, thank you! |
d8acf41
to
aa0c6e2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be LGTM after resolving/ignoring remaining comments.
aa0c6e2
to
4b498ad
Compare
The patch adds support for using SSL to encrypt the client-server communications [1]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption Part of #217
d4c0ea4
to
831100c
Compare
The workflow uses Tarantool Enterprise Edition. It does not run for outside pull requests by default. Such pull requests may be labeled with `full-ci`. To avoid security problems, the label must be reset manually for every run. Closes #217
831100c
to
66c732e
Compare
Overview This release features SSL support. To use SSL, pass SSL parameters on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file, ssl_ca_file=client_ca_file, ssl_ciphers=client_ciphers) ConnectionPool and MeshConnection also support these parameters. See Tarantool Enterprise Edition manual for details [1]. Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
Overview This release features SSL support. To use SSL, pass SSL parameters on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file, ssl_ca_file=client_ca_file, ssl_ciphers=client_ciphers) ConnectionPool and MeshConnection also support these parameters. See Tarantool Enterprise Edition manual for details [1]. Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
Overview This release features SSL support. To use SSL, pass SSL parameters on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file, ssl_ca_file=client_ca_file, ssl_ciphers=client_ciphers) ConnectionPool and MeshConnection also support these parameters. See Tarantool Enterprise Edition manual for details [1]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
Overview This release features SSL support. To use encrypted connection with Tarantool Enterprise Edition instance, pass "ssl" `transport` parameter on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl") If server uses trusted certificate authorities (CA) file, you must set private SSL key file with `ssl_key_file` parameter and SSL certificate file with `ssl_cert_file` parameter. If server not uses CA file, these parameters are optional. con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file) To verify the server, set client trusted certificate authorities (CA) file with `ssl_ca_file` parameter: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ca_file=client_ca_file) To set SSL ciphers, set them with `ssl_ciphers` parameter as a colon-separated (:) string: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ciphers=client_ssl_ciphers) ConnectionPool and MeshConnection also support these parameters. mesh = tarantool.MeshConnection( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) pool = tarantool.ConnectionPool( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) See Tarantool Enterprise Edition manual for details [1]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
Overview This release features SSL support. To use encrypted connection with Tarantool Enterprise Edition instance, pass "ssl" `transport` parameter on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl") If server uses trusted certificate authorities (CA) file, you must set private SSL key file with `ssl_key_file` parameter and SSL certificate file with `ssl_cert_file` parameter. If server not uses CA file, these parameters are optional. con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file) To verify the server, set client trusted certificate authorities (CA) file with `ssl_ca_file` parameter: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ca_file=client_ca_file) To set SSL ciphers, set them with `ssl_ciphers` parameter as a colon-separated (:) string: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ciphers=client_ssl_ciphers) ConnectionPool and MeshConnection also support these parameters. mesh = tarantool.MeshConnection( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) pool = tarantool.ConnectionPool( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) See Tarantool Enterprise Edition manual for details [1]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
Overview This release features SSL support. To use encrypted connection with Tarantool Enterprise Edition instance, pass "ssl" `transport` parameter on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl") To verify the server, set client trusted certificate authorities (CA) file with `ssl_ca_file` parameter: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ca_file=client_ca_file) If the server authenticates clients using certificates issued by given CA, you must provide private SSL key file with `ssl_key_file` parameter and SSL certificate file with `ssl_cert_file` parameter. Otherwise, these parameters are optional. con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file) To set SSL ciphers, set them with `ssl_ciphers` parameter as a colon-separated (:) string: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ciphers=client_ssl_ciphers) ConnectionPool and MeshConnection also support these parameters. mesh = tarantool.MeshConnection( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) pool = tarantool.ConnectionPool( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) See Tarantool Enterprise Edition manual for details [1]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
Overview This release features SSL support. To use encrypted connection with Tarantool Enterprise Edition instance, pass "ssl" `transport` parameter on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl") To verify the server, set client trusted certificate authorities (CA) file with `ssl_ca_file` parameter: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ca_file=client_ca_file) If the server authenticates clients using certificates issued by given CA, you must provide private SSL key file with `ssl_key_file` parameter and SSL certificate file with `ssl_cert_file` parameter. Otherwise, these parameters are optional. con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file) To set SSL ciphers, set them with `ssl_ciphers` parameter as a colon-separated (:) string: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ciphers=client_ssl_ciphers) ConnectionPool and MeshConnection also support these parameters. mesh = tarantool.MeshConnection( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) pool = tarantool.ConnectionPool( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) See Tarantool Enterprise Edition manual for details [1]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on similar patch in tarantool/tarantool-python connector [2]. To use SSL encrypted connection, use Connection parameters: conn = asynctnt.Connection(host='127.0.0.1', port=3301, transport=asynctnt.Transport.SSL, ssl_key_file='./ssl/host.key', ssl_cert_file='./ssl/host.crt', ssl_ca_file='./ssl/ca.crt', ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384') If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. tarantool/tarantool-python#220 3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers Closes igorcoding#22
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on a similar patch in tarantool/tarantool-python connector [2]. To use SSL encrypted connection, use Connection parameters: conn = asynctnt.Connection(host='127.0.0.1', port=3301, transport=asynctnt.Transport.SSL, ssl_key_file='./ssl/host.key', ssl_cert_file='./ssl/host.crt', ssl_ca_file='./ssl/ca.crt', ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384') If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. tarantool/tarantool-python#220 3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers Closes igorcoding#22
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on a similar patch in tarantool/tarantool-python connector [2]. To use SSL encrypted connection, use Connection parameters: conn = asynctnt.Connection(host='127.0.0.1', port=3301, transport=asynctnt.Transport.SSL, ssl_key_file='./ssl/host.key', ssl_cert_file='./ssl/host.crt', ssl_ca_file='./ssl/ca.crt', ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384') If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. tarantool/tarantool-python#220 3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers Closes igorcoding#22
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on a similar patch in tarantool/tarantool-python connector [2]. To use SSL encrypted connection, use Connection parameters: conn = asynctnt.Connection(host='127.0.0.1', port=3301, transport=asynctnt.Transport.SSL, ssl_key_file='./ssl/host.key', ssl_cert_file='./ssl/host.crt', ssl_ca_file='./ssl/ca.crt', ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384') If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. tarantool/tarantool-python#220 3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers Closes igorcoding#22
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on a similar patch in tarantool/tarantool-python connector [2]. To use SSL encrypted connection, use Connection parameters: conn = asynctnt.Connection(host='127.0.0.1', port=3301, transport=asynctnt.Transport.SSL, ssl_key_file='./ssl/host.key', ssl_cert_file='./ssl/host.crt', ssl_ca_file='./ssl/ca.crt', ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384') If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. tarantool/tarantool-python#220 3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers Closes igorcoding#22
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on a similar patch in tarantool/tarantool-python connector [2]. To use SSL encrypted connection, use Connection parameters: conn = asynctnt.Connection(host='127.0.0.1', port=3301, transport=asynctnt.Transport.SSL, ssl_key_file='./ssl/host.key', ssl_cert_file='./ssl/host.crt', ssl_ca_file='./ssl/ca.crt', ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384') If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. tarantool/tarantool-python#220 3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers Closes igorcoding#22
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on a similar patch in tarantool/tarantool-python connector [2]. To use SSL encrypted connection, use Connection parameters: conn = asynctnt.Connection(host='127.0.0.1', port=3301, transport=asynctnt.Transport.SSL, ssl_key_file='./ssl/host.key', ssl_cert_file='./ssl/host.crt', ssl_ca_file='./ssl/ca.crt', ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384') If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. tarantool/tarantool-python#220 3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers Closes igorcoding#22
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22
The patch adds support for using SSL to encrypt the client-server communications.
Also it adds a workflow that uses Tarantool Enterprise Edition. It does not run for outside pull requests by default. Such pull requests may be labeled with
full-ci
. To avoid security problems, the label must be reset manually for every run.Closes #217
Please be careful. I don't program in the Python. So there may be mistakes in basic and idiomatic things.