Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL connection with certificate verification #61

Closed
tkilias opened this issue Nov 20, 2020 · 10 comments
Closed

SSL connection with certificate verification #61

tkilias opened this issue Nov 20, 2020 · 10 comments

Comments

@tkilias
Copy link
Collaborator

tkilias commented Nov 20, 2020

Hi @wildraid,

We had a look into SSL certificate verification with the websocket api, and we saw that pyexasol uses ssl.CERT_NONE in case of encryption with no way to change it.

https://github.com/badoo/pyexasol/blob/fbb1949f0ff613cae709b3f8d9e0d0d599fedc85/pyexasol/connection.py#L676

We tested if certificate verification works in general with websockets and it seems to work. To test it, we created our own private key and certificates (Server certificate testExasolChain.pem which was signed by the Root CA testRootCA.pem) and specified them as follows.

In the Exasol Database we need to add the following parameter:

-tlsPrivateKeyPath=/tmp/certs/testExasol.key -tlsCertificatePath=/tmp/certs/testExasolChain.pem

Websocket client:

ws = websocket.create_connection(host, sslopt={"cert_reqs": ssl.CERT_REQUIRED, "ca_certs": "/tmp/certs/testRootCA.pem"})

Can we add an option to the connection which allows the user to specify a RootCA?
@littleK0i
Copy link
Collaborator

@tkilias , please check a new version 0.15.1.

I've added connection option websocket_sslopt which goes directly to WebSocket client sslopt argument.

388ffd2

Is there any way I can configure a custom SSL certificate for Exasol in Docker container easily? I don't see an easy way to test it automatically right now and I would appreciate your help.

@tkilias
Copy link
Collaborator Author

tkilias commented Nov 23, 2020

Hi @wildraid,

Cool!
I'm happy to help with the test setup. I am going to gather all necessary information and get back to you later. We could also think about to include the necessary functions into the integration-test-docker-environment, but this is not mandatory.

@tkilias
Copy link
Collaborator Author

tkilias commented Nov 23, 2020
edited
Loading

@wildraid Ok, here is the general plan

  1. Create certificates to $PWD/certificates
  2. Create a ExaConf template
  3. Add the database parameter to the ExaConf
  4. Create docker-db container which mounts the certificates to the correct directory
    • docker run -v "$PWD/certificates":/tmp/certificates --rm -i exasol/docker-db:<version>

The best is probably having a script for all of this, I will be back when it is ready.

@tkilias
Copy link
Collaborator Author

tkilias commented Nov 23, 2020

Hi @wildraid,

I started with creating certificates and starting a docker-db with modified config. And, it seems we don't need to set the command line parameters for Exasol. The EXAConf already provides a SSL section which setups everything for us, if we provide the correct paths.

You can find the current state in my fork (PLEASE NOTE: it is still work in progress and doesn't work yet, the websocket client returns currently a verification error):
https://github.com/tkilias/pyexasol/tree/pyexasol_ssl_test

I continue tomorrow with it.

@tkilias
Copy link
Collaborator Author

tkilias commented Nov 24, 2020

Hi @wildraid ,

I was now finally able to set up a docker-db with certificates, such that the certificate verification works. The create_docker_db_container.sh create docker-db and the corresponding certs and test.py connects to the docker-db with certificate verification activated. Currently, some things are still hard coded, so the next step is cleanup and removing hard coded parameters.

Let me know, what you think. Can you use this for tests? I am not sure, if I can simplify it much more, but I am going to add a few comments to explain what the scripts do.

@tkilias
Copy link
Collaborator Author

tkilias commented Nov 25, 2020

Hi @wildraid ,
so, I finished the cleanup of the setup scrip in https://github.com/tkilias/pyexasol/tree/pyexasol_ssl_test/pyexasol_ssl_testt. Let me know if you need something else.

@littleK0i
Copy link
Collaborator

@tkilias , thank you!

I'll check this out in the next few days and add an automated test to Travis.

@AugustVomFass AugustVomFass mentioned this issue Dec 17, 2020
Closed
@littleK0i
Copy link
Collaborator

@tkilias , could you send a current link to an example, how to run Exasol in docker with custom SSL certificate? The old link does not work anymore.

Thank you.

@allipatev
Copy link
Contributor

Hi @littleK0i ,
If you are still interested, it seems that you just need to remove one trailing t from the link https://github.com/tkilias/pyexasol/tree/pyexasol_ssl_test/pyexasol_ssl_testt and it works.

@littleK0i
Copy link
Collaborator

SSL connection with certification verification & testing was fully implemented after series of patches.

Latest documentation: https://github.com/exasol/pyexasol/blob/master/docs/ENCRYPTION.md
Workflow for testing: https://github.com/exasol/pyexasol/blob/master/.github/workflows/ssl_cert.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@littleK0i @tkilias @allipatev