Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL support #220

Merged
merged 2 commits into from
Jun 20, 2022
Merged

SSL support #220

merged 2 commits into from
Jun 20, 2022

Conversation

oleg-jukovec
Copy link
Contributor

@oleg-jukovec oleg-jukovec commented Jun 7, 2022

The patch adds support for using SSL to encrypt the client-server communications.

Also it adds a workflow that uses Tarantool Enterprise Edition. It does not run for outside pull requests by default. Such pull requests may be labeled with full-ci. To avoid security problems, the label must be reset manually for every run.

Closes #217

Please be careful. I don't program in the Python. So there may be mistakes in basic and idiomatic things.

@oleg-jukovec oleg-jukovec force-pushed the oleg-jukovec/gh-217-ssl-support branch 7 times, most recently from 4e35a88 to 177b62f Compare June 8, 2022 08:49
@oleg-jukovec oleg-jukovec changed the title Support of SSL protocol SSL support Jun 8, 2022
@oleg-jukovec oleg-jukovec marked this pull request as ready for review June 8, 2022 08:58
Copy link
Member

@Totktonada Totktonada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the patchset!

I don't feel myself very professional around encryption/openssl topics, so, please, take my review as 'something that a random guy can add here'.

Everything looks meaningful, it is what I can say :)

I left several questions/doubts, they're based on the ssl module documentation. Also a few stylistic comments.

The patchset looks good to me. Please, glance on my comments, but they all looks as non-critical and can be passed over.

tarantool/mesh_connection.py Outdated Show resolved Hide resolved
test/suites/lib/tarantool_server.py Outdated Show resolved Hide resolved
test/suites/lib/tarantool_server.py Outdated Show resolved Hide resolved
test/suites/test_ssl.py Outdated Show resolved Hide resolved
test/suites/test_ssl.py Outdated Show resolved Hide resolved
tarantool/connection.py Outdated Show resolved Hide resolved
tarantool/connection.py Show resolved Hide resolved
tarantool/connection.py Outdated Show resolved Hide resolved
tarantool/connection.py Show resolved Hide resolved
test/suites/test_ssl.py Outdated Show resolved Hide resolved
@oleg-jukovec oleg-jukovec force-pushed the oleg-jukovec/gh-217-ssl-support branch from 177b62f to 090f2d2 Compare June 16, 2022 09:01
@DifferentialOrange
Copy link
Member

DifferentialOrange commented Jun 16, 2022

Issue in WSL actions repository: Vampire/setup-wsl#28

Copy link
Member

@DifferentialOrange DifferentialOrange left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems awesome. Thank you! I have left several minor comments.

CHANGELOG.md Show resolved Hide resolved
tarantool/connection.py Outdated Show resolved Hide resolved
tarantool/connection.py Outdated Show resolved Hide resolved
tarantool/connection.py Outdated Show resolved Hide resolved
tarantool/connection.py Outdated Show resolved Hide resolved
tarantool/connection_pool.py Outdated Show resolved Hide resolved
tarantool/mesh_connection.py Show resolved Hide resolved
@DifferentialOrange
Copy link
Member

Regarding WSL: we may use WSL 1 as a workaround: https://github.com/tarantool/tarantool-python/actions/runs/2509312684

       - name: Install test requirements
         run: pip install -r requirements-test.txt
 
+      - run: wsl --set-default-version 1
+
       - name: Setup WSL for tarantool
         uses: Vampire/setup-wsl@v1
         with:

tarantool/connection.py Outdated Show resolved Hide resolved
@oleg-jukovec oleg-jukovec force-pushed the oleg-jukovec/gh-217-ssl-support branch 2 times, most recently from 488693a to ae172fc Compare June 16, 2022 14:58
@oleg-jukovec
Copy link
Contributor Author

Regarding WSL: we may use WSL 1 as a workaround: https://github.com/tarantool/tarantool-python/actions/runs/2509312684

       - name: Install test requirements
         run: pip install -r requirements-test.txt
 
+      - run: wsl --set-default-version 1
+
       - name: Setup WSL for tarantool
         uses: Vampire/setup-wsl@v1
         with:

It works, thank you!

@oleg-jukovec oleg-jukovec force-pushed the oleg-jukovec/gh-217-ssl-support branch 3 times, most recently from d8acf41 to aa0c6e2 Compare June 17, 2022 06:21
Copy link
Member

@DifferentialOrange DifferentialOrange left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be LGTM after resolving/ignoring remaining comments.

.github/workflows/testing.yml Outdated Show resolved Hide resolved
.github/workflows/testing.yml Show resolved Hide resolved
tarantool/connection_pool.py Outdated Show resolved Hide resolved
tarantool/connection_pool.py Show resolved Hide resolved
@oleg-jukovec oleg-jukovec force-pushed the oleg-jukovec/gh-217-ssl-support branch from aa0c6e2 to 4b498ad Compare June 17, 2022 08:45
The patch adds support for using SSL to encrypt the client-server
communications [1].

1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption

Part of #217
@oleg-jukovec oleg-jukovec force-pushed the oleg-jukovec/gh-217-ssl-support branch 2 times, most recently from d4c0ea4 to 831100c Compare June 17, 2022 09:19
The workflow uses Tarantool Enterprise Edition. It does not run for
outside pull requests by default. Such pull requests may be labeled
with `full-ci`. To avoid security problems, the label must be reset
manually for every run.

Closes #217
@oleg-jukovec oleg-jukovec force-pushed the oleg-jukovec/gh-217-ssl-support branch from 831100c to 66c732e Compare June 17, 2022 09:32
@DifferentialOrange DifferentialOrange merged commit 69fae76 into master Jun 20, 2022
@DifferentialOrange DifferentialOrange deleted the oleg-jukovec/gh-217-ssl-support branch June 20, 2022 11:53
DifferentialOrange added a commit that referenced this pull request Jun 20, 2022
Overview

    This release features SSL support. To use SSL, pass SSL parameters
    on connect:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=pass,
            transport="ssl",
            ssl_key_file=client_key_file,
            ssl_cert_file=client_cert_file,
            ssl_ca_file=client_ca_file,
            ssl_ciphers=client_ciphers)

     ConnectionPool and MeshConnection also support these parameters.

     See Tarantool Enterprise Edition manual for details [1].

Breaking changes

    There are no breaking changes in the release.

New features

    * SSL support (PR #220, #217).

Testing

    * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
@DifferentialOrange DifferentialOrange mentioned this pull request Jun 20, 2022
DifferentialOrange added a commit that referenced this pull request Jun 20, 2022
Overview

    This release features SSL support. To use SSL, pass SSL parameters
    on connect:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=pass,
            transport="ssl",
            ssl_key_file=client_key_file,
            ssl_cert_file=client_cert_file,
            ssl_ca_file=client_ca_file,
            ssl_ciphers=client_ciphers)

    ConnectionPool and MeshConnection also support these parameters.

    See Tarantool Enterprise Edition manual for details [1].

Breaking changes

    There are no breaking changes in the release.

New features

    * SSL support (PR #220, #217).

Testing

    * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
DifferentialOrange added a commit that referenced this pull request Jun 20, 2022
Overview

    This release features SSL support. To use SSL, pass SSL parameters
    on connect:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=pass,
            transport="ssl",
            ssl_key_file=client_key_file,
            ssl_cert_file=client_cert_file,
            ssl_ca_file=client_ca_file,
            ssl_ciphers=client_ciphers)

    ConnectionPool and MeshConnection also support these parameters.

    See Tarantool Enterprise Edition manual for details [1].

    1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption

Breaking changes

    There are no breaking changes in the release.

New features

    * SSL support (PR #220, #217).

Testing

    * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
DifferentialOrange added a commit that referenced this pull request Jun 20, 2022
Overview

    This release features SSL support.

    To use encrypted connection with Tarantool Enterprise Edition
    instance, pass "ssl" `transport` parameter on connect:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=pass,
            transport="ssl")

    If server uses trusted certificate authorities (CA) file, you must
    set private SSL key file with `ssl_key_file` parameter and SSL
    certificate file with `ssl_cert_file` parameter. If server not
    uses CA file, these parameters are optional.

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_key_file=client_key_file,
            ssl_cert_file=client_cert_file)

    To verify the server, set client trusted certificate
    authorities (CA) file with `ssl_ca_file` parameter:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_ca_file=client_ca_file)

    To set SSL ciphers, set them with `ssl_ciphers` parameter as
    a colon-separated (:) string:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_ciphers=client_ssl_ciphers)

    ConnectionPool and MeshConnection also support these parameters.

        mesh = tarantool.MeshConnection(
            addrs={
                "host": host,
                "post": port,
                "transport": "ssl",
                "ssl_key_file": client_key_file,
                "ssl_cert_file": client_cert_file,
                "ssl_ca_file": client_ca_file,
                "ssl_ciphers": client_ssl_ciphers,
            },
            user=user,
            password=password)

        pool = tarantool.ConnectionPool(
            addrs={
                "host": host,
                "post": port,
                "transport": "ssl",
                "ssl_key_file": client_key_file,
                "ssl_cert_file": client_cert_file,
                "ssl_ca_file": client_ca_file,
                "ssl_ciphers": client_ssl_ciphers,
            },
            user=user,
            password=password)

    See Tarantool Enterprise Edition manual for details [1].

    1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption

Breaking changes

    There are no breaking changes in the release.

New features

    * SSL support (PR #220, #217).

Testing

    * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
DifferentialOrange added a commit that referenced this pull request Jun 20, 2022
Overview

    This release features SSL support.

    To use encrypted connection with Tarantool Enterprise Edition
    instance, pass "ssl" `transport` parameter on connect:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=pass,
            transport="ssl")

    If server uses trusted certificate authorities (CA) file, you must
    set private SSL key file with `ssl_key_file` parameter and SSL
    certificate file with `ssl_cert_file` parameter. If server not
    uses CA file, these parameters are optional.

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_key_file=client_key_file,
            ssl_cert_file=client_cert_file)

    To verify the server, set client trusted certificate
    authorities (CA) file with `ssl_ca_file` parameter:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_ca_file=client_ca_file)

    To set SSL ciphers, set them with `ssl_ciphers` parameter as
    a colon-separated (:) string:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_ciphers=client_ssl_ciphers)

    ConnectionPool and MeshConnection also support these parameters.

        mesh = tarantool.MeshConnection(
            addrs={
                "host": host,
                "post": port,
                "transport": "ssl",
                "ssl_key_file": client_key_file,
                "ssl_cert_file": client_cert_file,
                "ssl_ca_file": client_ca_file,
                "ssl_ciphers": client_ssl_ciphers,
            },
            user=user,
            password=password)

        pool = tarantool.ConnectionPool(
            addrs={
                "host": host,
                "post": port,
                "transport": "ssl",
                "ssl_key_file": client_key_file,
                "ssl_cert_file": client_cert_file,
                "ssl_ca_file": client_ca_file,
                "ssl_ciphers": client_ssl_ciphers,
            },
            user=user,
            password=password)

    See Tarantool Enterprise Edition manual for details [1].

    1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption

Breaking changes

    There are no breaking changes in the release.

New features

    * SSL support (PR #220, #217).

Testing

    * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
DifferentialOrange added a commit that referenced this pull request Jun 20, 2022
Overview

    This release features SSL support.

    To use encrypted connection with Tarantool Enterprise Edition
    instance, pass "ssl" `transport` parameter on connect:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=pass,
            transport="ssl")

    To verify the server, set client trusted certificate
    authorities (CA) file with `ssl_ca_file` parameter:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_ca_file=client_ca_file)

    If the server authenticates clients using certificates issued by
    given CA, you must provide private SSL key file with `ssl_key_file`
    parameter and SSL certificate file with `ssl_cert_file` parameter.
    Otherwise, these parameters are optional.

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_key_file=client_key_file,
            ssl_cert_file=client_cert_file)

    To set SSL ciphers, set them with `ssl_ciphers` parameter as
    a colon-separated (:) string:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_ciphers=client_ssl_ciphers)

    ConnectionPool and MeshConnection also support these parameters.

        mesh = tarantool.MeshConnection(
            addrs={
                "host": host,
                "post": port,
                "transport": "ssl",
                "ssl_key_file": client_key_file,
                "ssl_cert_file": client_cert_file,
                "ssl_ca_file": client_ca_file,
                "ssl_ciphers": client_ssl_ciphers,
            },
            user=user,
            password=password)

        pool = tarantool.ConnectionPool(
            addrs={
                "host": host,
                "post": port,
                "transport": "ssl",
                "ssl_key_file": client_key_file,
                "ssl_cert_file": client_cert_file,
                "ssl_ca_file": client_ca_file,
                "ssl_ciphers": client_ssl_ciphers,
            },
            user=user,
            password=password)

    See Tarantool Enterprise Edition manual for details [1].

    1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption

Breaking changes

    There are no breaking changes in the release.

New features

    * SSL support (PR #220, #217).

Testing

    * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
DifferentialOrange added a commit that referenced this pull request Jun 20, 2022
Overview

    This release features SSL support.

    To use encrypted connection with Tarantool Enterprise Edition
    instance, pass "ssl" `transport` parameter on connect:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=pass,
            transport="ssl")

    To verify the server, set client trusted certificate
    authorities (CA) file with `ssl_ca_file` parameter:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_ca_file=client_ca_file)

    If the server authenticates clients using certificates issued by
    given CA, you must provide private SSL key file with `ssl_key_file`
    parameter and SSL certificate file with `ssl_cert_file` parameter.
    Otherwise, these parameters are optional.

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_key_file=client_key_file,
            ssl_cert_file=client_cert_file)

    To set SSL ciphers, set them with `ssl_ciphers` parameter as
    a colon-separated (:) string:

        con = tarantool.Connection(
            host, port,
            user=user,
            password=password,
            transport="ssl",
            ssl_ciphers=client_ssl_ciphers)

    ConnectionPool and MeshConnection also support these parameters.

        mesh = tarantool.MeshConnection(
            addrs={
                "host": host,
                "post": port,
                "transport": "ssl",
                "ssl_key_file": client_key_file,
                "ssl_cert_file": client_cert_file,
                "ssl_ca_file": client_ca_file,
                "ssl_ciphers": client_ssl_ciphers,
            },
            user=user,
            password=password)

        pool = tarantool.ConnectionPool(
            addrs={
                "host": host,
                "post": port,
                "transport": "ssl",
                "ssl_key_file": client_key_file,
                "ssl_cert_file": client_cert_file,
                "ssl_ca_file": client_ca_file,
                "ssl_ciphers": client_ssl_ciphers,
            },
            user=user,
            password=password)

    See Tarantool Enterprise Edition manual for details [1].

    1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption

Breaking changes

    There are no breaking changes in the release.

New features

    * SSL support (PR #220, #217).

Testing

    * Tarantool Enterprise testing workflow on GitHub actions (PR #220).
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 10, 2022
This patch adds support for using SSL to encrypt the client-server
communications [1]. The patch is based on similar patch in
tarantool/tarantool-python connector [2].

To use SSL encrypted connection, use Connection parameters:

  conn = asynctnt.Connection(host='127.0.0.1',
                             port=3301,
                             transport=asynctnt.Transport.SSL,
                             ssl_key_file='./ssl/host.key',
                             ssl_cert_file='./ssl/host.crt',
                             ssl_ca_file='./ssl/ca.crt',
                             ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384')

If Tarantool server uses "ssl" transport, client connection also need to
use asynctnt.Transport.SSL transport. If server side had ssl_ca_file
set, ssl_key_file and ssl_cert_file are mandatory from the client side,
otherwise optional. CA file and ciphers are optional. See available
ciphers in Tarantool EE documentation [3].

1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption
2. tarantool/tarantool-python#220
3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers

Closes igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 11, 2022
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set
TEST_TT_SSL=TRUE flag. The patch is based on similar patch in
tarantool/tarantool-python connector [1].

1. tarantool/tarantool-python#220

Follows up igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 11, 2022
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set
TEST_TT_SSL=TRUE flag. The patch is based on similar patch in
tarantool/tarantool-python connector [1].

1. tarantool/tarantool-python#220

Follows up igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 11, 2022
This patch adds support for using SSL to encrypt the client-server
communications [1]. The patch is based on a similar patch in
tarantool/tarantool-python connector [2].

To use SSL encrypted connection, use Connection parameters:

  conn = asynctnt.Connection(host='127.0.0.1',
                             port=3301,
                             transport=asynctnt.Transport.SSL,
                             ssl_key_file='./ssl/host.key',
                             ssl_cert_file='./ssl/host.crt',
                             ssl_ca_file='./ssl/ca.crt',
                             ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384')

If Tarantool server uses "ssl" transport, client connection also need to
use asynctnt.Transport.SSL transport. If server side had ssl_ca_file
set, ssl_key_file and ssl_cert_file are mandatory from the client side,
otherwise optional. CA file and ciphers are optional. See available
ciphers in Tarantool EE documentation [3].

1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption
2. tarantool/tarantool-python#220
3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers

Closes igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 11, 2022
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set
TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in
tarantool/tarantool-python connector [1].

1. tarantool/tarantool-python#220

Follows up igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 16, 2022
This patch adds support for using SSL to encrypt the client-server
communications [1]. The patch is based on a similar patch in
tarantool/tarantool-python connector [2].

To use SSL encrypted connection, use Connection parameters:

  conn = asynctnt.Connection(host='127.0.0.1',
                             port=3301,
                             transport=asynctnt.Transport.SSL,
                             ssl_key_file='./ssl/host.key',
                             ssl_cert_file='./ssl/host.crt',
                             ssl_ca_file='./ssl/ca.crt',
                             ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384')

If Tarantool server uses "ssl" transport, client connection also need to
use asynctnt.Transport.SSL transport. If server side had ssl_ca_file
set, ssl_key_file and ssl_cert_file are mandatory from the client side,
otherwise optional. CA file and ciphers are optional. See available
ciphers in Tarantool EE documentation [3].

1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption
2. tarantool/tarantool-python#220
3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers

Closes igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 16, 2022
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set
TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in
tarantool/tarantool-python connector [1].

1. tarantool/tarantool-python#220

Follows up igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 17, 2022
This patch adds support for using SSL to encrypt the client-server
communications [1]. The patch is based on a similar patch in
tarantool/tarantool-python connector [2].

To use SSL encrypted connection, use Connection parameters:

  conn = asynctnt.Connection(host='127.0.0.1',
                             port=3301,
                             transport=asynctnt.Transport.SSL,
                             ssl_key_file='./ssl/host.key',
                             ssl_cert_file='./ssl/host.crt',
                             ssl_ca_file='./ssl/ca.crt',
                             ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384')

If Tarantool server uses "ssl" transport, client connection also need to
use asynctnt.Transport.SSL transport. If server side had ssl_ca_file
set, ssl_key_file and ssl_cert_file are mandatory from the client side,
otherwise optional. CA file and ciphers are optional. See available
ciphers in Tarantool EE documentation [3].

1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption
2. tarantool/tarantool-python#220
3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers

Closes igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 17, 2022
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set
TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in
tarantool/tarantool-python connector [1].

1. tarantool/tarantool-python#220

Follows up igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 18, 2022
This patch adds support for using SSL to encrypt the client-server
communications [1]. The patch is based on a similar patch in
tarantool/tarantool-python connector [2].

To use SSL encrypted connection, use Connection parameters:

  conn = asynctnt.Connection(host='127.0.0.1',
                             port=3301,
                             transport=asynctnt.Transport.SSL,
                             ssl_key_file='./ssl/host.key',
                             ssl_cert_file='./ssl/host.crt',
                             ssl_ca_file='./ssl/ca.crt',
                             ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384')

If Tarantool server uses "ssl" transport, client connection also need to
use asynctnt.Transport.SSL transport. If server side had ssl_ca_file
set, ssl_key_file and ssl_cert_file are mandatory from the client side,
otherwise optional. CA file and ciphers are optional. See available
ciphers in Tarantool EE documentation [3].

1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption
2. tarantool/tarantool-python#220
3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers

Closes igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 18, 2022
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set
TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in
tarantool/tarantool-python connector [1].

1. tarantool/tarantool-python#220

Follows up igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 22, 2022
This patch adds support for using SSL to encrypt the client-server
communications [1]. The patch is based on a similar patch in
tarantool/tarantool-python connector [2].

To use SSL encrypted connection, use Connection parameters:

  conn = asynctnt.Connection(host='127.0.0.1',
                             port=3301,
                             transport=asynctnt.Transport.SSL,
                             ssl_key_file='./ssl/host.key',
                             ssl_cert_file='./ssl/host.crt',
                             ssl_ca_file='./ssl/ca.crt',
                             ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384')

If Tarantool server uses "ssl" transport, client connection also need to
use asynctnt.Transport.SSL transport. If server side had ssl_ca_file
set, ssl_key_file and ssl_cert_file are mandatory from the client side,
otherwise optional. CA file and ciphers are optional. See available
ciphers in Tarantool EE documentation [3].

1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption
2. tarantool/tarantool-python#220
3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers

Closes igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 22, 2022
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set
TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in
tarantool/tarantool-python connector [1].

1. tarantool/tarantool-python#220

Follows up igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 24, 2022
This patch adds support for using SSL to encrypt the client-server
communications [1]. The patch is based on a similar patch in
tarantool/tarantool-python connector [2].

To use SSL encrypted connection, use Connection parameters:

  conn = asynctnt.Connection(host='127.0.0.1',
                             port=3301,
                             transport=asynctnt.Transport.SSL,
                             ssl_key_file='./ssl/host.key',
                             ssl_cert_file='./ssl/host.crt',
                             ssl_ca_file='./ssl/ca.crt',
                             ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384')

If Tarantool server uses "ssl" transport, client connection also need to
use asynctnt.Transport.SSL transport. If server side had ssl_ca_file
set, ssl_key_file and ssl_cert_file are mandatory from the client side,
otherwise optional. CA file and ciphers are optional. See available
ciphers in Tarantool EE documentation [3].

1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption
2. tarantool/tarantool-python#220
3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers

Closes igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 24, 2022
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set
TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in
tarantool/tarantool-python connector [1].

1. tarantool/tarantool-python#220

Follows up igorcoding#22
DifferentialOrange added a commit to DifferentialOrange/asynctnt that referenced this pull request Aug 24, 2022
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set
TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in
tarantool/tarantool-python connector [1].

1. tarantool/tarantool-python#220

Follows up igorcoding#22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support encrypted binary protocol (Tarantool Enterprise)
3 participants