config: new iproto.ssl section #5485
Description
A new iproto.ssl section has been introduced. It has the following
options.
iproto.ssl
SSL parameters required for encrypted connections. These parameters
would be used to set up SSL IProto sockets and to connect to other
instances which require certificate authority (CA).
iproto.ssl.ca_file
(Optional) A path to a trusted certificate authorities (CA) file. If not
set, the peer won't be checked for authenticity.
Both a server and a client can use the ca_file parameter:
- If it's on the server side, the server verifies the client.
- If it's on the client side, the client verifies the server.
- If both sides have the CA files, the server and the client verify each
other.
iproto.ssl.ssl_cert
A path to an SSL certificate file:
- For a server, it's mandatory.
- For a client, it's mandatory if the ca_file parameter is set for a
server; otherwise, optional.
-
iproto.ssl.ssl_ciphers(Optional) A colon-separated (:) list of SSL
cipher suites the connection can use. Note that the list is not
validated: if a cipher suite is unknown, Tarantool ignores it, doesn't
establish the connection, and writes to the log that no shared cipher
was found. -
iproto.ssl.ssl_keyA path to a private SSL key file:
- For a server, it's mandatory.
- For a client, it's mandatory if the
ca_fileparameter is set for a
server; otherwise, optional.
If the private key is encrypted, provide a password for it in the
ssl_password or ssl_password_file parameter
iproto.ssl.ssl_password
(Optional) A password for an encrypted private SSL key provided using
ssl_key. Alternatively, the password can be provided in
ssl_password_file.
Tarantool applies the ssl_password and ssl_password_file parameters
in the following order:
- If
ssl_passwordis provided, Tarantool tries to decrypt the private
key with it. - If
ssl_passwordis incorrect or isn't provided, Tarantool tries all
passwords fromssl_password_fileone by one in the order they are
written. - If
ssl_passwordand all passwords fromssl_password_fileare
incorrect, or none of them is provided, Tarantool treats the private
key as unencrypted.
iproto.ssl.ssl_password_file(Optional) A text file with one or more
passwords for encrypted private SSL keys provided usingssl_key
(each on a separate line). Alternatively, the password can be provided
inssl_password.
This section is a replacement for the parameters
iproto.listen.*.params.ssl_* and iproto.advertise.*.params.ssl_*.
The hints that redirect iproto.listen.*.params.ssl_* and
iproto.advertise.*.params.ssl_* to <uri>.params.ssl_* should be
marked as ones overwriting iproto.ssl options and marked for advanced
use only with a hint that the user is likely want to use iproto.ssl.
Also, SSL Tarantool examples should be changed w.r.t. new section
iproto.ssl instead.
Requested by @georgiy-belyanin in tarantool/tarantool@a54a406.