| Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time |
|
I'm a bit confused about that because it seems that in this way the "hono.server.port" can have two different meanings ...
Secure port if keyStorePath is set Insecure port if keyStorePath is not set
but then ... if we set the keyStorePath, then the Insecure port is specified with another parameter "hono.server.insecurePort".
Making hono.server.port mandatory we can't leverage on the IANA defaults.
If it's not mandatory and using the Kai's idea around the "allowInsecure" flag we can have :
1) keyStorePath = <keyStorePath> port = not configured or <port>
Only secure default 5671 (or <port>)
2) keyStorePath = <keyStorePath>
port = not configured or <port> allowInsecure = true insecurePort = not configured or <insecurePort>
both secure default 5671
(or <port>) and insecure (or <insecurePort>)
Agree about warnings if default ports are used in the "wrong" way.
Paolo Patierno
Senior Software Engineer (IoT) @ Red Hat
Microsoft MVP on Windows Embedded & IoT Microsoft Azure Advisor
From: hono-dev-bounces@xxxxxxxxxxx <hono-dev-bounces@xxxxxxxxxxx> on behalf of Frank Karsten (INST/ECS4) <Karsten.Frank@xxxxxxxxxxxx>
Sent: Monday, March 06, 2017 4:57 PM To: hono developer discussions Subject: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time Thanks for all comments, I like to refine my proposal with the goal to keep things simple to the following:
1.) "hono.server.port" : Is mandatory. We stick to the strategy that Hono decides if the port is secure only by trying to find a "keyStorePath" configured. We then reflect the standard port behaviour for AMQP (5671 secure, 5672 insecure) by printing a WARNING to the log files if it is violated. Warnings are printed for: - 5671 but no keyStorePath found - 5672 but keyStorePath found Why that? I would prefer warnings instead of exceptions only for flexibility: to start several Hono instances on the same machine (without using docker) sometimes could be very handy, and this would not be possible anymore if Hono refuses to start. 2.) "hono.server.insecurePort": Is optional, and always insecure, so no keyStorePath for that port. Must never be set to 5671 (exception thrown) - the secure port can only be configured for the "hono.server.port". This would be still rather simple, still flexible and to a certain amount reflect the standard port behaviour for AMQP. What do you think? Bosch Software Innovations GmbH
Development Core Products (INST/ECS6-Be) Schöneberger Ufer 89-91 10785 Berlin GERMANY www.bosch-si.de www.blog.bosch-si.com Tel. +49 30 726112-403 Fax +49 30 726112-100 Karsten.Frank@xxxxxxxxxxxx Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB 148411 B Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn Von: hono-dev-bounces@xxxxxxxxxxx [hono-dev-bounces@xxxxxxxxxxx]" im Auftrag von "Paolo Patierno [ppatierno@xxxxxxxx]
Gesendet: Montag, 6. März 2017 17:07 An: hono developer discussions Betreff: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time Some scenarios ... because I have a little confusion on the possibilities ...
1) hono.server.keyStorePath = null hono.server.port not configured hono.server.unsecurePort not configured (or hono.server.unsecurePort = <unsecure_port>)
Hono server opens only the default "unsecure" 5672 (or <unsecure_port>) port or throws an exception because we want AT LEAST the secured one ? So "unsecure port" not configured means ... no open this port
2) hono.server.keyStorePath = <keyStorePath> hono.server.port
not configured (or hono.server.port not configured = <port>) hono.server.unsecurePort
not configured
Hono server opens only the default "secure" 5671 port (or <port>)
3)
hono.server.keyStorePath = <keyStorePath>
hono.server.port not configured (or hono.server.port not configured = <port>) hono.server.unsecurePort = <unsecure_port>
Hono server opens both default "secure" 5671 (or <port>) and <unsecure_port>
What is the way to open both default ports ?
It seems to me that setting or not hono.server.keyStorePath --> open or not a "secure" port
But what about opening the "unsecure" one ? Not configured --> open the default 5672 or not open it ?
Thanks, Paolo
Paolo Patierno
Senior Software Engineer (IoT) @ Red Hat
Microsoft MVP on Windows Embedded & IoT Microsoft Azure Advisor
From: hono-dev-bounces@xxxxxxxxxxx <hono-dev-bounces@xxxxxxxxxxx> on behalf of Maas Ingo (INST/ECS4) <Ingo.Maas@xxxxxxxxxxxx>
Sent: Monday, March 06, 2017 3:48 PM To: hono developer discussions Subject: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time Improving Kai's proposal, I would prefer "insecure" instead of "unsecure".
Kind regards, Ingo Maas Bosch Software Innovations GmbH INST/ECS4 Schöneberger Ufer 89 - 91 10785 Berlin GERMANY www.bosch-si.de Tel. +49 30 726112-156 Fax +49 30 726112-100 ingo.maas@xxxxxxxxxxxx Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB 148411 B Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn ________________________________________ Von: hono-dev-bounces@xxxxxxxxxxx [hono-dev-bounces@xxxxxxxxxxx]" im Auftrag von "Hudalla Kai (INST/ECS4) [Kai.Hudalla@xxxxxxxxxxxx] Gesendet: Montag, 6. März 2017 14:33 An: hono-dev@xxxxxxxxxxx Betreff: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time Hi Karsten, thanks for the proposal. I have added some comments below... Kai On Mon, 2017-03-06 at 12:09 +0000, Frank Karsten (INST/ECS4) wrote: > Hello, > > while writing a HelloWorld tutorial for Hono to produce a Java client that is > as simple as possible, > I found out that: > > - the Hono client is written for both variants (encrypted/unencrypted) and > switches to "amqps" resp. "amqp" as protocol designator > > - the Hono server though currently can be configured to EITHER encrypted (based > on hono.server.keyStorePath) OR unencrypted (if hono.server.keyStorePath is > null, i.e. not configured) communication > > > -> I propose to make the Hono server more flexible, so that both variants can > be supported at the same time. > > > Following I have in mind: > > 1.) default should remain "only one port configured for SSL" > agreed, we should always bind a "secure" port if keys are configured > Hono server will always insist on finding this already available port and > behaves like implemented: opens it for EITHER encrypted OR unencrypted > communication. > > Configuration: > > hono: > server: > port: 5672 > > if keys are configured the secure port should better be 5671 which is the IANA registered port for AMQPS (aka AMQP over TLS) > 2.) optionally a second port can be opened > > Configuration: > > hono: > server: > unEncryptedPort: 5671 > I'd rather call the ports "secure" and "unsecure" and the default for "unsecure" should be 5672 (as defined by the spec) > > If Hono server additionally finds the port "unEncryptedPort" configured, it > will open this as well and always opens it for unencrypted communication. > > 3.) Hono client remains unchanged - it already works with both variants of > server ports. > IMHO we should adapt its behavior based on the default ports for secure and unsecure communication, i.e. if no port is specified but a trust store is configured, we should assume 5671 as the port, otherwise 5672 > > What do you think? > > Looking forward to feedback... > > Karsten (sysexcontrol) > > Bosch Software Innovations GmbH > Development Core Products (INST/ECS6-Be) > Schöneberger Ufer 89-91 > 10785 Berlin > GERMANY > www.bosch-si.de > www.blog.bosch-si.com > > Tel. +49 30 726112-403 > Fax +49 30 726112-100 > Karsten.Frank@xxxxxxxxxxxx > > Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB > 148411 B > Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn > > _______________________________________________ > hono-dev mailing list > hono-dev@xxxxxxxxxxx > To change your delivery options, retrieve your password, or unsubscribe from > this list, visit > https://dev.eclipse.org/mailman/listinfo/hono-dev _______________________________________________ hono-dev mailing list hono-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/hono-dev _______________________________________________ hono-dev mailing list hono-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/hono-dev |