Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for 'prefer' TLS mode and make it default #179

Merged
merged 7 commits into from
Oct 9, 2024

Conversation

tanvipise
Copy link
Contributor

No description provided.

@tanvipise tanvipise requested a review from sitingren September 25, 2024 20:37
@CLAassistant
Copy link

CLAassistant commented Sep 25, 2024

CLA assistant check
All committers have signed the CLA.

@sitingren
Copy link
Member

@DMickens I'd like to use the name prefer rather than server-prefer, so when we unify go client's tlsmode with other clients, there is less compatibility work to do.

connection.go Outdated
// Set default to tlsModeServerPrefer
sslFlag = tlsModeServerPrefer
// Set default to tlsModePrefer
sslFlag = tlsModeNone
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed this back to 'tlsModeNone' as it was initially which is an appropriate logic. This change made all the workflow tests pass.

Copy link

@williammatherjones williammatherjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from my perspective. I think Siting should approve too.

connection.go Outdated Show resolved Hide resolved
connection.go Outdated
@@ -676,6 +677,9 @@ func (v *connection) initializeSSL(sslFlag string) error {
case tlsModeServer:
connectionLogger.Info("enabling SSL/TLS server mode")
v.conn = tls.Client(v.conn, &tls.Config{InsecureSkipVerify: true})
case tlsModePrefer:
connectionLogger.Info("enabling SSL/TLS prefer mode")
v.conn = tls.Client(v.conn, &tls.Config{ServerName: v.connURL.Hostname(), InsecureSkipVerify: true})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the reason we need to set the ServerName in the tls Config?

Copy link
Contributor

@DMickens DMickens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't expect this will work when the server is not configured for TLS. Has this been tested in cases where the server IS configured as well as IS NOT configured for TLS?

It looks to me like initializeSSL() returns an error every time if the server's response is that SSL is not supported ('N'). This error return value then causes the calling function to error out early as well. Previously there was no option for the driver to proceed when a TLS mode was provided. Now with 'prefer', we want to proceed even if TLS is not supported, so if the server responds with 'N', we don't want to return an error if the tls mode is prefer. But if the tls mode is server or server-strict, then it would be an error.

@DMickens
Copy link
Contributor

DMickens commented Oct 7, 2024

I think this looks good now, lets give Siting a chance to review now that she is back

CONTRIBUTING.md Outdated Show resolved Hide resolved
@@ -201,6 +201,10 @@ func TestTLSConfiguration(t *testing.T) {
switch *tlsMode {
case "none":
assertEqual(t, sslState, "None")
case "prefer":
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no new test adding to CI, have you manually tested these two cases?

  • tlsmode=prefer, TLS is not configured on server
  • tlsmode=prefer, TLS is enabled on server

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I have tested them manually and also verified them with @DMickens.

@sitingren sitingren changed the title Add support for 'server-prefer' TLS mode and make it default Add support for 'prefer' TLS mode and make it default Oct 9, 2024
@sitingren sitingren merged commit 29af615 into vertica:master Oct 9, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants