SSL support #220

oleg-jukovec · 2022-06-07T14:30:47Z

The patch adds support for using SSL to encrypt the client-server communications.

Also it adds a workflow that uses Tarantool Enterprise Edition. It does not run for outside pull requests by default. Such pull requests may be labeled with full-ci. To avoid security problems, the label must be reset manually for every run.

Closes #217

Please be careful. I don't program in the Python. So there may be mistakes in basic and idiomatic things.

Totktonada

Thanks for the patchset!

I don't feel myself very professional around encryption/openssl topics, so, please, take my review as 'something that a random guy can add here'.

Everything looks meaningful, it is what I can say :)

I left several questions/doubts, they're based on the ssl module documentation. Also a few stylistic comments.

The patchset looks good to me. Please, glance on my comments, but they all looks as non-critical and can be passed over.

tarantool/mesh_connection.py

test/suites/lib/tarantool_server.py

test/suites/test_ssl.py

tarantool/connection.py

test/suites/test_ssl.py

DifferentialOrange · 2022-06-16T09:32:01Z

Issue in WSL actions repository: Vampire/setup-wsl#28

DifferentialOrange

Seems awesome. Thank you! I have left several minor comments.

CHANGELOG.md

tarantool/connection.py

tarantool/connection_pool.py

tarantool/mesh_connection.py

DifferentialOrange · 2022-06-16T14:33:06Z

Regarding WSL: we may use WSL 1 as a workaround: https://github.com/tarantool/tarantool-python/actions/runs/2509312684

       - name: Install test requirements
         run: pip install -r requirements-test.txt
 
+      - run: wsl --set-default-version 1
+
       - name: Setup WSL for tarantool
         uses: Vampire/setup-wsl@v1
         with:

tarantool/connection.py

oleg-jukovec · 2022-06-16T15:08:12Z

Regarding WSL: we may use WSL 1 as a workaround: https://github.com/tarantool/tarantool-python/actions/runs/2509312684

       - name: Install test requirements
         run: pip install -r requirements-test.txt
 
+      - run: wsl --set-default-version 1
+
       - name: Setup WSL for tarantool
         uses: Vampire/setup-wsl@v1
         with:

It works, thank you!

DifferentialOrange

Should be LGTM after resolving/ignoring remaining comments.

.github/workflows/testing.yml

tarantool/connection_pool.py

The patch adds support for using SSL to encrypt the client-server communications [1]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption Part of #217

The workflow uses Tarantool Enterprise Edition. It does not run for outside pull requests by default. Such pull requests may be labeled with `full-ci`. To avoid security problems, the label must be reset manually for every run. Closes #217

Overview This release features SSL support. To use SSL, pass SSL parameters on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file, ssl_ca_file=client_ca_file, ssl_ciphers=client_ciphers) ConnectionPool and MeshConnection also support these parameters. See Tarantool Enterprise Edition manual for details [1]. Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).

Overview This release features SSL support. To use SSL, pass SSL parameters on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file, ssl_ca_file=client_ca_file, ssl_ciphers=client_ciphers) ConnectionPool and MeshConnection also support these parameters. See Tarantool Enterprise Edition manual for details [1]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).

Overview This release features SSL support. To use encrypted connection with Tarantool Enterprise Edition instance, pass "ssl" `transport` parameter on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl") If server uses trusted certificate authorities (CA) file, you must set private SSL key file with `ssl_key_file` parameter and SSL certificate file with `ssl_cert_file` parameter. If server not uses CA file, these parameters are optional. con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file) To verify the server, set client trusted certificate authorities (CA) file with `ssl_ca_file` parameter: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ca_file=client_ca_file) To set SSL ciphers, set them with `ssl_ciphers` parameter as a colon-separated (:) string: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ciphers=client_ssl_ciphers) ConnectionPool and MeshConnection also support these parameters. mesh = tarantool.MeshConnection( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) pool = tarantool.ConnectionPool( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) See Tarantool Enterprise Edition manual for details [1]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).

Overview This release features SSL support. To use encrypted connection with Tarantool Enterprise Edition instance, pass "ssl" `transport` parameter on connect: con = tarantool.Connection( host, port, user=user, password=pass, transport="ssl") To verify the server, set client trusted certificate authorities (CA) file with `ssl_ca_file` parameter: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ca_file=client_ca_file) If the server authenticates clients using certificates issued by given CA, you must provide private SSL key file with `ssl_key_file` parameter and SSL certificate file with `ssl_cert_file` parameter. Otherwise, these parameters are optional. con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_key_file=client_key_file, ssl_cert_file=client_cert_file) To set SSL ciphers, set them with `ssl_ciphers` parameter as a colon-separated (:) string: con = tarantool.Connection( host, port, user=user, password=password, transport="ssl", ssl_ciphers=client_ssl_ciphers) ConnectionPool and MeshConnection also support these parameters. mesh = tarantool.MeshConnection( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) pool = tarantool.ConnectionPool( addrs={ "host": host, "post": port, "transport": "ssl", "ssl_key_file": client_key_file, "ssl_cert_file": client_cert_file, "ssl_ca_file": client_ca_file, "ssl_ciphers": client_ssl_ciphers, }, user=user, password=password) See Tarantool Enterprise Edition manual for details [1]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption Breaking changes There are no breaking changes in the release. New features * SSL support (PR #220, #217). Testing * Tarantool Enterprise testing workflow on GitHub actions (PR #220).

This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on similar patch in tarantool/tarantool-python connector [2]. To use SSL encrypted connection, use Connection parameters: conn = asynctnt.Connection(host='127.0.0.1', port=3301, transport=asynctnt.Transport.SSL, ssl_key_file='./ssl/host.key', ssl_cert_file='./ssl/host.crt', ssl_ca_file='./ssl/ca.crt', ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384') If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. tarantool/tarantool-python#220 3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers Closes igorcoding#22

To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on similar patch in tarantool/tarantool-python connector [1]. 1. tarantool/tarantool-python#220 Follows up igorcoding#22

This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on a similar patch in tarantool/tarantool-python connector [2]. To use SSL encrypted connection, use Connection parameters: conn = asynctnt.Connection(host='127.0.0.1', port=3301, transport=asynctnt.Transport.SSL, ssl_key_file='./ssl/host.key', ssl_cert_file='./ssl/host.crt', ssl_ca_file='./ssl/ca.crt', ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384') If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3]. 1. https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption 2. tarantool/tarantool-python#220 3. https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers Closes igorcoding#22