-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL connection with certificate verification #61
Comments
@tkilias , please check a new version I've added connection option Is there any way I can configure a custom SSL certificate for Exasol in Docker container easily? I don't see an easy way to test it automatically right now and I would appreciate your help. |
Hi @wildraid, Cool! |
@wildraid Ok, here is the general plan
The best is probably having a script for all of this, I will be back when it is ready. |
Hi @wildraid, I started with creating certificates and starting a docker-db with modified config. And, it seems we don't need to set the command line parameters for Exasol. The EXAConf already provides a SSL section which setups everything for us, if we provide the correct paths. You can find the current state in my fork (PLEASE NOTE: it is still work in progress and doesn't work yet, the websocket client returns currently a verification error): I continue tomorrow with it. |
Hi @wildraid , I was now finally able to set up a docker-db with certificates, such that the certificate verification works. The create_docker_db_container.sh create docker-db and the corresponding certs and test.py connects to the docker-db with certificate verification activated. Currently, some things are still hard coded, so the next step is cleanup and removing hard coded parameters. Let me know, what you think. Can you use this for tests? I am not sure, if I can simplify it much more, but I am going to add a few comments to explain what the scripts do. |
Hi @wildraid , |
@tkilias , thank you! I'll check this out in the next few days and add an automated test to Travis. |
@tkilias , could you send a current link to an example, how to run Exasol in docker with custom SSL certificate? The old link does not work anymore. Thank you. |
Hi @littleK0i , |
SSL connection with certification verification & testing was fully implemented after series of patches. Latest documentation: https://github.com/exasol/pyexasol/blob/master/docs/ENCRYPTION.md |
Hi @wildraid,
We had a look into SSL certificate verification with the websocket api, and we saw that pyexasol uses
ssl.CERT_NONE
in case of encryption with no way to change it.https://github.com/badoo/pyexasol/blob/fbb1949f0ff613cae709b3f8d9e0d0d599fedc85/pyexasol/connection.py#L676
We tested if certificate verification works in general with websockets and it seems to work. To test it, we created our own private key and certificates (Server certificate
testExasolChain.pem
which was signed by the Root CAtestRootCA.pem
) and specified them as follows.In the Exasol Database we need to add the following parameter:
-tlsPrivateKeyPath=/tmp/certs/testExasol.key -tlsCertificatePath=/tmp/certs/testExasolChain.pem
Websocket client:
ws = websocket.create_connection(host, sslopt={"cert_reqs": ssl.CERT_REQUIRED, "ca_certs": "/tmp/certs/testRootCA.pem"})
Can we add an option to the connection which allows the user to specify a RootCA?
The text was updated successfully, but these errors were encountered: