-
Notifications
You must be signed in to change notification settings - Fork 40.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to disable SSL client authentication on the management port #14985
Conversation
When server and management are at different ports, and when server requires TLS client authentication, then there is no simple method to disable TLS client authentication for management port. Adding ssl.client-auth=none enables this. Example: server.port=8080 server.ssl.enabled=true server.ssl.client-auth=need management.server.port=8081 management.server.ssl.enabled=true management.server.ssl.client-auth=none Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
@alonbl Please sign the Contributor License Agreement! Click here to manually synchronize the status of this Pull Request. See the FAQ for frequently asked questions. |
@alonbl Thank you for signing the Contributor License Agreement! |
@alonbl it's not very clear what this PR does. If you specify a SSL for It would have helped to add a test that exercises the intended change. Am I missing something here? |
@snicoll: thanks! Here is the problem... maybe I am doing wrong solution as I am not deep into spring-boot but more security. And I see now that this is insufficient. I have the following configuration: server:
ssl:
enabled: true
key-store: file:///tmp/server1.p12
key-store-password: changeit
management:
server:
port: 8081 When I try to access management port, I get:
Now I set: server:
ssl:
enabled: true
client-auth: need
key-store: file:///tmp/server1.p12
key-store-password: changeit
management:
server:
port: 8081 And try again:
This means that the SSL setting of server is copied to the management. server:
ssl:
enabled: true
client-auth: need
key-store: file:///tmp/server1.p12
key-store-password: changeit
management:
server:
port: 8081
ssl:
client-auth: Same result, so having an empty is not the same as reverting to null. I expect to be able to write something like: server:
ssl:
enabled: true
client-auth: need
key-store: file:///tmp/server1.p12
key-store-password: changeit
management:
server:
port: 8081
ssl:
client-auth: none However, I see that every variable at Based on that, I thought I will write: server:
ssl:
enabled: true
client-auth: need
key-store: file:///tmp/server1.p12
key-store-password: changeit
management:
server:
port: 8081
ssl:
ciphers: ${server.ssl.ciphers:}
#client-auth: ${server.ssl.client-auth:}
enabled: ${server.ssl.enabled:}
enabled-protocols: ${server.ssl.enabled-protocols:}
key-alias: ${server.ssl.key-alias:}
key-password: ${server.ssl.key-password:}
key-store: ${server.ssl.key-store:}
key-store-password: ${server.ssl.key-store-password:}
key-store-provider: ${server.ssl.key-store-provider:}
key-store-type: ${server.ssl.key-store-type:}
protocol: ${server.ssl.protocol:}
trust-store: ${server.ssl.trust-store:}
trust-store-password: ${server.ssl.trust-store-password:}
trust-store-provider: ${server.ssl.trust-store-provider:}
trust-store-type: ${server.ssl.trust-store-type:} However, the full environment of Summary: be able to inherit all settings of Can you think of another solution in which I can configure Thanks! |
In that space, the current behavior is (see
So I believe this PR can actually be useful, since apparently there is no way to only disable that part of the SSL configuration for the management server. |
When server and management are at different ports, and when server requires TLS client authentication, then there is no simple method to disable TLS client authentication for management port. This commit adds an additional "none" option to ssl.client-auth. Example: server.port=8080 server.ssl.enabled=true server.ssl.client-auth=need management.server.port=8081 management.server.ssl.enabled=true management.server.ssl.client-auth=none See gh-14985
* pr/14985: Polish contribution Allow to disable SSL client authentication on the management port
@alonbl thank you very much for making your first contribution to Spring Boot. I've merged this to |
@snicoll : Thanks! Now we should think of how to allow setting individual setting in management instead of all-or-nothing copy from the server. Should I open a PR for this discussion? |
@alonbl An issue probably, as I'm not sure how this could be achieved without breaking backwards compatibility or making things more complex than necessary. Are you suggesting that |
@bclozel: I suggest to have:
Maybe bad naming, but the principal is to move this setting out of the ssl, while maintaining backward compatibility, leaving ssl to only contain the settings for the crypto of the ssl. Any other idea? |
When server and management are at different ports, and when server requires
TLS client authentication, then there is no simple method to disable TLS
client authentication for management port.
Adding ssl.client-auth=none enables this.
Example:
Signed-off-by: Alon Bar-Lev alon.barlev@gmail.com