Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time

Exactly Kai ! 


The "allowInsecure" flag for the unsecurePort is something like the "keyStorePath" for the (secure) port.


Agree on that ;)


Paolo Patierno
Senior Software Engineer (IoT) @ Red Hat
Microsoft MVP on Windows Embedded & IoT
Microsoft Azure Advisor 

Twitter : @ppatierno
Linkedin : paolopatierno
Blog : DevExperience


From: hono-dev-bounces@xxxxxxxxxxx <hono-dev-bounces@xxxxxxxxxxx> on behalf of Kai <sophokles.kh@xxxxxxxxx>
Sent: Monday, March 06, 2017 4:54 PM
To: hono developer discussions
Subject: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time
 
Hey Paolo,

very smart questions ...

On Mon, Mar 6, 2017 at 5:07 PM Paolo Patierno <ppatierno@xxxxxxxx> wrote:

Some scenarios ... because I have a little confusion on the possibilities ...


1)

hono.server.keyStorePath = null

hono.server.port not configured

hono.server.unsecurePort not configured (or hono.server.unsecurePort = <unsecure_port>)


Hono server opens only the default "unsecure" 5672 (or <unsecure_port>) port or throws an exception because we want AT LEAST the secured one ? So "unsecure port" not configured means ... no open this port


I guess we need something like a boolean hono.server.allowInsecure flag as well which would be required to be set to "true" in order to open up the insecure port. If hono.server.insecurePort is set then that port is used, otherwise the default port 5672 would be used. Sounds good?

2)

hono.server.keyStorePath = <keyStorePath>

hono.server.port not configured (or hono.server.port not configured = <port>)

hono.server.unsecurePort not configured


Hono server opens only the default "secure" 5671 port (or <port>)


yes 

3)


hono.server.keyStorePath = <keyStorePath>

hono.server.port not configured (or hono.server.port not configured = <port>)

hono.server.unsecurePort = <unsecure_port>


Hono server opens both default "secure" 5671 (or <port>) and <unsecure_port>


What is the way to open both default ports ?


see above, i.e. use the hono.server.allowInsecure flag to enable/disable the insecure port 

It seems to me that setting or not hono.server.keyStorePath --> open or not a "secure" port


But what about opening the "unsecure" one ? Not configured --> open the default 5672 or not open it ?


Thanks,

Paolo




Paolo Patierno
Senior Software Engineer (IoT) @ Red Hat
Microsoft MVP on Windows Embedded & IoT
Microsoft Azure Advisor 

Twitter : @ppatierno
Linkedin : paolopatierno
Blog : DevExperience


From: hono-dev-bounces@xxxxxxxxxxx <hono-dev-bounces@xxxxxxxxxxx> on behalf of Maas Ingo (INST/ECS4) <Ingo.Maas@xxxxxxxxxxxx>
Sent: Monday, March 06, 2017 3:48 PM
To: hono developer discussions
Subject: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time
 
Improving Kai's proposal, I would prefer "insecure" instead of "unsecure".

Kind regards,

Ingo Maas

Bosch Software Innovations GmbH
INST/ECS4
Schöneberger Ufer 89 - 91
10785 Berlin
GERMANY
www.bosch-si.de

Tel. +49 30 726112-156
Fax +49 30 726112-100
ingo.maas@xxxxxxxxxxxx

Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB 148411 B
Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn

________________________________________
Von: hono-dev-bounces@xxxxxxxxxxx [hono-dev-bounces@xxxxxxxxxxx]&quot; im Auftrag von &quot;Hudalla Kai (INST/ECS4) [Kai.Hudalla@xxxxxxxxxxxx]
Gesendet: Montag, 6. März 2017 14:33
An: hono-dev@xxxxxxxxxxx
Betreff: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time

Hi Karsten,

thanks for the proposal. I have added some comments below...

Kai

On Mon, 2017-03-06 at 12:09 +0000, Frank Karsten (INST/ECS4) wrote:
> Hello,
>
> while writing a HelloWorld tutorial for Hono to produce a Java client that is
> as simple as possible,
> I found out that:
>
> - the Hono client is written for both variants (encrypted/unencrypted) and
> switches to "amqps" resp. "amqp" as protocol designator
>
> - the Hono server though currently can be configured to EITHER encrypted (based
> on hono.server.keyStorePath) OR unencrypted (if hono.server.keyStorePath is
> null, i.e. not configured) communication
>
>
> -> I propose to make the Hono server more flexible, so that both variants can
> be supported at the same time.
>
>
> Following I have in mind:
>
> 1.) default should remain "only one port configured for SSL"
>
agreed, we should always bind a "secure" port if keys are configured

> Hono server will always insist on finding this already available port and
> behaves like implemented: opens it for EITHER encrypted OR unencrypted
> communication.
>
> Configuration:
>
> hono:
>    server:
>       port: 5672
>
>
if keys are configured the secure port should better be 5671 which is the IANA
registered port for AMQPS (aka AMQP over TLS)

> 2.) optionally a second port can be opened
>
> Configuration:
>
> hono:
>    server:
>       unEncryptedPort: 5671
>
I'd rather call the ports "secure" and "unsecure" and the default for "unsecure"
should be 5672 (as defined by the spec)

>
> If Hono server additionally finds the port "unEncryptedPort" configured, it
> will open this as well and always opens it for unencrypted communication.
>
> 3.) Hono client remains unchanged - it already works with both variants of
> server ports.
>
IMHO we should adapt its behavior based on the default ports for secure and
unsecure communication, i.e. if no port is specified but a trust store is
configured, we should assume 5671 as the port, otherwise 5672

>
> What do you think?
>
> Looking forward to feedback...
>
> Karsten (sysexcontrol)
>
> Bosch Software Innovations GmbH
> Development Core Products (INST/ECS6-Be)
> Schöneberger Ufer 89-91
> 10785 Berlin
> GERMANY
> www.bosch-si.de
> www.blog.bosch-si.com
>
> Tel. +49 30 726112-403
> Fax +49 30 726112-100
> Karsten.Frank@xxxxxxxxxxxx
>
> Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB
> 148411 B
> Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn
>
> _______________________________________________
> hono-dev mailing list
> hono-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/hono-dev
_______________________________________________
hono-dev mailing list
hono-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/hono-dev
_______________________________________________
hono-dev mailing list
hono-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/hono-dev
_______________________________________________
hono-dev mailing list
hono-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/hono-dev

Back to the top