Support tlsmode #555
Support tlsmode #555
Conversation
sitingren
requested review from
tanvipise,
williammatherjones,
DMickens and
kevinkarch88
README.md
Outdated
| | 'disable' | False | only try a non-TLS connection. | | ||
| | 'prefer' | (not set) | (Default) first try a TLS connection; if TLS is disabled on the server, then fallback to a non-TLS connection. <br>Note: If TLS is enabled on the server and TLS connection fails, the client rejects the connection. | | ||
| | 'require' | True | connects using TLS without verifying certificates. If the TLS connection attempt fails, the client rejects the connection. | | ||
| | 'verify-ca' || connects using TLS and confirms that the server certificate has been signed by the certificate authority. | |
There was a problem hiding this comment.
similar nit, I would change the description slightly to say "...signed by a trusted certificate authority."
There was a problem hiding this comment.
and same change to the relevant part of verify-full
| @@ -84,7 +95,7 @@ def _generate_and_set_certificates(self, mutual_mode=False): | |||
| # This CA certificate is used to verify client certificates | |||
| cur.execute('ALTER TLS CONFIGURATION server CERTIFICATE vp_server_cert ADD CA CERTIFICATES vp_CA_cert') | |||
| # Enable TLS. Connection succeeds if Vertica verifies that the client certificate is from a trusted CA. | |||
| # If the client does not present a client certificate, the connection uses plaintext. | |||
There was a problem hiding this comment.
good adjustment, more secure
vertica_python/vertica/connection.py
Outdated
| raw_socket = self.enable_ssl(raw_socket, ssl_options) | ||
| # If TLSmode option and SSL option are set, TLSmode option takes precedence. | ||
| ssl_context = None | ||
| if tlsmode_options is not None: |
There was a problem hiding this comment.
Would this logic be clearer as a function that takes tlsmode_options and ssl_options and returns the correct tlsmode?
tlsmode = _initTLSMode(self.options.get('tlsmode'), self.options.get('ssl'))
There was a problem hiding this comment.
Yes, this part will be wrapped into a function eventually, since this affects future works of making load balancing TLS encrypted, so I didn't do it. Now commit is pushed.
| from typing import Optional | ||
|
|
||
|
|
||
| class TLSMode(Enum): |
There was a problem hiding this comment.
Nice and clean. I like your implementation of this class.
tlsmode.sslis not set, change its behavior from tlsmode='disable' to tlsmode='prefer'.