New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Separating configuration for client and server trust store #1246
Conversation
…h for outgoing connection to a broker
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds reasonable to me. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to add the settings in broker.conf
and standalone.conf
@@ -894,6 +896,14 @@ public void setBrokerClientAuthenticationParameters(String brokerClientAuthentic | |||
this.brokerClientAuthenticationParameters = brokerClientAuthenticationParameters; | |||
} | |||
|
|||
public String getBrokerClientTrustCertsFilePath() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this default to the server trust store if empty?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel it will make setting the trust store a bit complicated. Right now it is simple to set one trust store for client side and one for server.
But if you feel strongly about it - let me know I will set the default to server trust store.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@merlimat - waiting for your reply before merging
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, sounds good. We can revisit later if needed.
retest this please |
This PR separates the trust store used for incoming connections (Client Side) from the Outgoing (Broker Side)
We have a use case where we want to trust only a specific trust store for Client Authentication (eg. athens) but our broker certs could be signed by any other CA.
Also created new certs with 10years expiry