You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Continuing discussion from #14985, I would like to continue discussion and agree on the solution.
CURRENT IMPLEMENTATION
Management port inherits all SSL settings from the server port, in other words by default management.server.ssl = server.ssl, while any setting at management.ssl.* starts from a fresh management.ssl settings.
This is convenience in most of the cases as in most cases the server side settings are specified and matches both the server and management settings and no need to specify any override of management port settings.
I guess that the common case of design is for disabling management port SSL by management.server.ssl.enabled=false, which is good enough and then we do not care about not inheriting settings from server but start fresh.
However, when specifying client side authentication using client-auth and key-* on the server.ssl.* to provide client authentication to remote side, it sometimes makes sense to either disable this for management port or change the identity without impacting the server side settings, for example protocol, ciphers, enable-protocols etc...
The problem is that once a single parameter is specify at management.server.ssl.* it requires specifying all parameters again, for example:
…requires specifying all parameters again (#1265)
As of this post: spring-projects/spring-boot#15437 currently, all
Co-authored-by: ioangut <67064882+ioangut@users.noreply.github.com>
Continuing discussion from #14985, I would like to continue discussion and agree on the solution.
CURRENT IMPLEMENTATION
Management port inherits all SSL settings from the server port, in other words by default
management.server.ssl = server.ssl
, while any setting atmanagement.ssl.*
starts from a freshmanagement.ssl
settings.This is convenience in most of the cases as in most cases the server side settings are specified and matches both the server and management settings and no need to specify any override of management port settings.
I guess that the common case of design is for disabling management port SSL by
management.server.ssl.enabled=false
, which is good enough and then we do not care about not inheriting settings from server but start fresh.However, when specifying client side authentication using
client-auth
andkey-*
on theserver.ssl.*
to provide client authentication to remote side, it sometimes makes sense to either disable this for management port or change the identity without impacting the server side settings, for exampleprotocol
,ciphers
,enable-protocols
etc...The problem is that once a single parameter is specify at
management.server.ssl.*
it requires specifying all parameters again, for example:Notice that the
protocol
andtrust-store
should be repeated in the management statement just to turn client authentication off.EXPECTED IMPLEMENTATION
Separate the server SSL settings from the client SSL settings while keeping backward compatibility.
I suggest to move SSL client setting
client-auth
andkey-*
tossl-client
object, and as fallback (if unset) consult thessl
object.For example:
or:
Backward compatibility is maintained using fallback to
server.ssl.*
.Any other method will be gladly accepted :)
The text was updated successfully, but these errors were encountered: