Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supplemental changes for PR #1357 #1363

Merged
merged 13 commits into from
Aug 21, 2015
Merged

Supplemental changes for PR #1357 #1363

merged 13 commits into from
Aug 21, 2015

Conversation

joschi
Copy link
Contributor

@joschi joschi commented Aug 20, 2015

Some supplemental changes to PR #1357 to speed up things due to the upcoming code freeze.

@joschi joschi added this to the 1.2.0 milestone Aug 20, 2015
@bernd bernd self-assigned this Aug 20, 2015
bernd
bernd reviewed Aug 21, 2015
View reviewed changes
...gin-interfaces/src/main/java/org/graylog2/plugin/inputs/transports/AbstractTcpTransport.java
CK_TLS_NEED_CLIENT_AUTH,
"TLS Need Client Auth",
false,
"TLS Need Client Auth")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be good to have a small description what "Need Client Auth" (and also "Want Client Auth") actually means.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also setting "need client auth" does not have any effect. I can still send with a client that has no client certificates configured. Only "want client auth" seems to make a difference. If it is checked, the connection fails if no client certs are configured.

Can someone explain why we need both? @gbu-censhare

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From JavaDoc it comes like this:

setNeedClientAuth: Configures the engine to require client authentication. This option is only useful for engines in the server mode. An engine's client authentication setting is one of the following: client authentication required, client authentication requested no client authentication desired

setWantClientAuth: Configures the engine to request client authentication. This option is only useful for engines in the server mode. An engine's client authentication setting is one of the following: client authentication required, client authentication requested, no client authentication desired

so "want" asks if possible, "need" requires one from documentation, "want" is optional in my option, i added it for completeness.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, the confusion is solved.

The "want" option accepts clients without any cert and clients with a valid cert. Clients with invalid certs are not accepted.

The "need" option only accepts clients with a valid certificate.

The code needs to be changed to only set one of the options because they overwrite each other. @joschi is currently working on that.

@gb6881
Copy link
Contributor

gb6881 commented Aug 21, 2015

nice, thanks, for spotting my mistakes.
i have an additional switch built in

to enable tcp compression, so if you're interessted i can create a pull request for this:
https://github.com/gbu-censhare/graylog2-server/commit/60e1de7c1acca65317630b85ecec9ec64f1e6598

@bernd
Copy link
Member

bernd commented Aug 21, 2015

LGTM and tested with several clients. 👍

bernd added a commit that referenced this pull request Aug 21, 2015
@bernd
Merge pull request #1363 from Graylog2/pr-1357
0ebd940 
Supplemental changes for PR #1357
@bernd bernd merged commit 0ebd940 into master Aug 21, 2015
@bernd bernd deleted the pr-1357 branch August 21, 2015 13:30
@bernd bernd mentioned this pull request Aug 21, 2015
Closed
@dependabot-preview dependabot-preview bot mentioned this pull request May 27, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bernd bernd

Labels
feature inputs ready-for-review security
Projects
None yet
Milestone
1.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@joschi @gb6881 @bernd