Skip to content

Add set of TLS-specific sockets#119

Closed
lukebakken wants to merge 1 commit into
developfrom
features/lrb/pb-separate-encrypted-port
Closed

Add set of TLS-specific sockets#119
lukebakken wants to merge 1 commit into
developfrom
features/lrb/pb-separate-encrypted-port

Conversation

@lukebakken
Copy link
Copy Markdown

@lukebakken lukebakken commented Dec 27, 2016
edited
Loading

Status

2017-01-05 - ready for review.

Overview

  • pb and tls listener use same supervisor
  • ignore einval error from peername/1

Fixes RIAK-2913

Overview of changes:

PB

This PR introduces a tls setting in the riak_api environment that is a mirror of pb. When set, Riak will listen for TCP connections on these ports and will always assume SSL/TLS connections on the port(s) configured. The RpbStartTls message is unnecessary on these ports, and clients that connect to these ports will have to be modified to not send this message an instead send the RpbAuthReq message if security is enabled. This means that if security is not enabled, clients can still connect to this port and have encrypted communications without authentication.

I modified the code for the legacy pb ports to make the RpbStartTls message optional. If a client sends this message, TLS will be set up on the socket prior to authentication, preserving backwards compatibility. However, if the client does not send RpbStartTls and instead sends RpbAuthReq, Riak will continue to the authentication phase of the connection establishment. This allows clients to connect to Riak with security enabled but without encryption configured.

If a Riak users wishes to enforce encrypted connections, then only listener.tls... should be configured in riak.conf.

HTTP

Removed check for https in the is_authorized function. Auth credentials may be sent over HTTP or HTTPS now.

@lukebakken lukebakken self-assigned this Dec 27, 2016
@thumbot
Copy link
Copy Markdown

thumbot commented Dec 27, 2016
edited
Loading

features/lrb/pb-separate-encrypted-port 92f4f74 ➡️ develop 8cecaba ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2016-12-27 12:45
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port 92f4f74 onto target branch: develop 8cecaba
Exit Code: OK

📄







  Updating 8cecaba..92f4f74
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  16 ++++
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 105 +++-------------------
 src/riak_api_pb_server.erl     | 197 ++++++++++++++++++++---------------------
 src/riak_api_pb_sup.erl        |  22 -----
 src/riak_api_sup.erl           |  55 +++++-------
 test/riak_api_schema_tests.erl |   4 +
 7 files changed, 155 insertions(+), 245 deletions(-)

@thumbot
Copy link
Copy Markdown

thumbot commented Dec 28, 2016
edited
Loading

features/lrb/pb-separate-encrypted-port ca74074 ➡️ develop 8cecaba ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2016-12-27 17:04
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port ca74074 onto target branch: develop 8cecaba
Exit Code: OK

📄







  Updating 8cecaba..ca74074
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  16 ++++
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 105 +++------------------
 src/riak_api_pb_server.erl     | 203 ++++++++++++++++++++---------------------
 src/riak_api_pb_sup.erl        |  22 -----
 src/riak_api_sup.erl           |  55 +++++------
 test/riak_api_schema_tests.erl |   4 +
 7 files changed, 159 insertions(+), 247 deletions(-)

@thumbot
Copy link
Copy Markdown

thumbot commented Dec 28, 2016
edited
Loading

features/lrb/pb-separate-encrypted-port e99146d ➡️ develop 8cecaba ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2016-12-27 17:22
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port e99146d onto target branch: develop 8cecaba
Exit Code: OK

📄







  Updating 8cecaba..e99146d
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  20 +++-
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 105 +++------------------
 src/riak_api_pb_server.erl     | 203 ++++++++++++++++++++---------------------
 src/riak_api_pb_sup.erl        |  22 -----
 src/riak_api_sup.erl           |  55 +++++------
 test/riak_api_schema_tests.erl |   4 +
 7 files changed, 161 insertions(+), 249 deletions(-)

@thumbot
Copy link
Copy Markdown

thumbot commented Dec 28, 2016
edited
Loading

features/lrb/pb-separate-encrypted-port 9071e44 ➡️ develop 8cecaba ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2016-12-27 17:44
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port 9071e44 onto target branch: develop 8cecaba
Exit Code: OK

📄







  Updating 8cecaba..9071e44
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  20 +++-
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 105 +++------------------
 src/riak_api_pb_server.erl     | 203 ++++++++++++++++++++---------------------
 src/riak_api_pb_sup.erl        |  22 -----
 src/riak_api_sup.erl           |  55 +++++------
 test/riak_api_schema_tests.erl |   4 +
 7 files changed, 161 insertions(+), 249 deletions(-)

@thumbot
Copy link
Copy Markdown

thumbot commented Dec 28, 2016
edited
Loading

features/lrb/pb-separate-encrypted-port 8ae9785 ➡️ develop 8cecaba ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2016-12-28 08:45
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port 8ae9785 onto target branch: develop 8cecaba
Exit Code: OK

📄







  Updating 8cecaba..8ae9785
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  20 +++-
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 105 +++------------------
 src/riak_api_pb_server.erl     | 203 ++++++++++++++++++++---------------------
 src/riak_api_pb_sup.erl        |  22 -----
 src/riak_api_sup.erl           |  55 +++++------
 src/riak_api_web_security.erl  |  37 +++-----
 test/riak_api_schema_tests.erl |   4 +
 8 files changed, 175 insertions(+), 272 deletions(-)

@lukebakken lukebakken mentioned this pull request Dec 28, 2016
Closed
@lukebakken lukebakken force-pushed the features/lrb/pb-separate-encrypted-port branch from 8ae9785 to d6cd21f Compare December 29, 2016 03:15
@thumbot
Copy link
Copy Markdown

thumbot commented Dec 29, 2016
edited
Loading

features/lrb/pb-separate-encrypted-port d6cd21f ➡️ develop 34a6cbd ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2016-12-28 19:15
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port d6cd21f onto target branch: develop 34a6cbd
Exit Code: OK

📄







  Updating 34a6cbd..d6cd21f
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  20 +++-
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 105 +++------------------
 src/riak_api_pb_server.erl     | 203 ++++++++++++++++++++---------------------
 src/riak_api_pb_sup.erl        |  22 -----
 src/riak_api_sup.erl           |  55 +++++------
 src/riak_api_web_security.erl  |  37 +++-----
 test/riak_api_schema_tests.erl |   4 +
 8 files changed, 175 insertions(+), 272 deletions(-)

@lukebakken lukebakken force-pushed the features/lrb/pb-separate-encrypted-port branch from d6cd21f to 6516a35 Compare December 29, 2016 16:13
@thumbot
Copy link
Copy Markdown

thumbot commented Dec 29, 2016
edited
Loading

features/lrb/pb-separate-encrypted-port 6516a35 ➡️ develop 34a6cbd ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2016-12-29 08:13
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port 6516a35 onto target branch: develop 34a6cbd
Exit Code: OK

📄







  Updating 34a6cbd..6516a35
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  20 +++-
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 105 +++------------------
 src/riak_api_pb_server.erl     | 203 ++++++++++++++++++++---------------------
 src/riak_api_pb_sup.erl        |  22 -----
 src/riak_api_sup.erl           |  55 +++++------
 src/riak_api_web_security.erl  |  37 +++-----
 test/riak_api_schema_tests.erl |   4 +
 8 files changed, 175 insertions(+), 272 deletions(-)

This was referenced Dec 30, 2016
Closed
Closed
Closed
@lukebakken lukebakken requested a review from bsparrow435 January 5, 2017 20:08
@lukebakken lukebakken changed the title Add set of TLS-specific sockets WIP: Add set of TLS-specific sockets Jan 5, 2017
@lukebakken lukebakken force-pushed the features/lrb/pb-separate-encrypted-port branch from 6516a35 to 1275fb3 Compare January 5, 2017 20:24
@thumbot
Copy link
Copy Markdown

thumbot commented Jan 5, 2017
edited
Loading

features/lrb/pb-separate-encrypted-port 1275fb3 ➡️ develop 34a6cbd ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2017-01-05 12:25
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port 1275fb3 onto target branch: develop 34a6cbd
Exit Code: OK

📄







  Updating 34a6cbd..1275fb3
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  20 +++-
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 105 +++------------------
 src/riak_api_pb_server.erl     | 208 ++++++++++++++++++++---------------------
 src/riak_api_pb_sup.erl        |  22 -----
 src/riak_api_sup.erl           |  55 +++++------
 src/riak_api_web_security.erl  |  37 +++-----
 test/riak_api_schema_tests.erl |   4 +
 8 files changed, 178 insertions(+), 274 deletions(-)

@lukebakken lukebakken changed the title WIP: Add set of TLS-specific sockets Add set of TLS-specific sockets Jan 5, 2017
@thumbot
Copy link
Copy Markdown

thumbot commented Jan 6, 2017
edited
Loading

features/lrb/pb-separate-encrypted-port bbe8fc5 ➡️ develop 34a6cbd ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2017-01-06 09:23
Duration: 2 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port bbe8fc5 onto target branch: develop 34a6cbd
Exit Code: OK

📄







  Updating 34a6cbd..bbe8fc5
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  20 +++-
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 105 +++-----------------
 src/riak_api_pb_server.erl     | 219 ++++++++++++++++++++++-------------------
 src/riak_api_pb_sup.erl        |  32 +-----
 src/riak_api_sup.erl           |  55 +++++------
 src/riak_api_web_security.erl  |  37 +++----
 test/riak_api_schema_tests.erl |   4 +
 8 files changed, 194 insertions(+), 279 deletions(-)

@lukebakken lukebakken force-pushed the features/lrb/pb-separate-encrypted-port branch from bbe8fc5 to 5e0b6e3 Compare January 6, 2017 19:42
@thumbot
Copy link
Copy Markdown

thumbot commented Jan 6, 2017
edited
Loading

features/lrb/pb-separate-encrypted-port 5e0b6e3 ➡️ develop 34a6cbd ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2017-01-06 11:43
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port 5e0b6e3 onto target branch: develop 34a6cbd
Exit Code: OK

📄







  Updating 34a6cbd..5e0b6e3
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  20 +++-
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 105 +++----------------
 src/riak_api_pb_server.erl     | 222 ++++++++++++++++++++++-------------------
 src/riak_api_pb_sup.erl        |  32 +-----
 src/riak_api_ssl.erl           |  31 ++----
 src/riak_api_sup.erl           |  55 +++++-----
 src/riak_api_web_security.erl  |  37 +++----
 test/riak_api_schema_tests.erl |   4 +
 9 files changed, 204 insertions(+), 303 deletions(-)

@lukebakken lukebakken mentioned this pull request Jan 6, 2017
Closed
@lukebakken lukebakken force-pushed the features/lrb/pb-separate-encrypted-port branch from 5e0b6e3 to 6d26c5e Compare January 6, 2017 22:28
@thumbot
Copy link
Copy Markdown

thumbot commented Jan 6, 2017
edited
Loading

features/lrb/pb-separate-encrypted-port 6d26c5e ➡️ develop 34a6cbd ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2017-01-06 14:28
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port 6d26c5e onto target branch: develop 34a6cbd
Exit Code: OK

📄







  Updating 34a6cbd..6d26c5e
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  20 +++-
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   | 115 +++++-----------------
 src/riak_api_pb_server.erl     | 217 +++++++++++++++++++++--------------------
 src/riak_api_pb_sup.erl        |  32 +-----
 src/riak_api_ssl.erl           |  31 ++----
 src/riak_api_sup.erl           |  55 +++++------
 src/riak_api_web_security.erl  |  37 +++----
 test/riak_api_schema_tests.erl |   4 +
 9 files changed, 208 insertions(+), 304 deletions(-)

This was referenced Jan 6, 2017
Closed
Closed
This was referenced Jan 7, 2017
Open
Closed
@lukebakken lukebakken force-pushed the features/lrb/pb-separate-encrypted-port branch from 6d26c5e to 342f8bb Compare January 10, 2017 17:25
Add set of TLS-specific sockets
342f8bb 
pb and tls listener use same sup

ignore einval error from peername

add tls schema tests

error message update

tls should be commented out by default

Revert change to error message to not reveal reason for auth failure

Remove https check from is_authorized

set socket to active

make tls handshake its own state so that listener is not blocked
@thumbot
Copy link
Copy Markdown

thumbot commented Jan 10, 2017
edited
Loading

features/lrb/pb-separate-encrypted-port 342f8bb ➡️ develop 34a6cbd ✅ completed
Looks good! 👍
✅ MERGE

Started at: 2017-01-10 09:26
Duration: 1 seconds.
Result: OK
Message: Merge Success: features/lrb/pb-separate-encrypted-port 342f8bb onto target branch: develop 34a6cbd
Exit Code: OK

📄







  Updating 34a6cbd..342f8bb
Fast-forward (no commit created; -m option ignored)
 priv/riak_api.schema           |  20 ++++-
 src/riak_api_app.erl           |   1 -
 src/riak_api_pb_listener.erl   |  95 +++++---------------
 src/riak_api_pb_server.erl     | 197 ++++++++++++++++++++++++-----------------
 src/riak_api_pb_sup.erl        |  10 +--
 src/riak_api_ssl.erl           |   9 +-
 src/riak_api_sup.erl           |  33 +++++--
 src/riak_api_web_security.erl  |  37 +++-----
 test/riak_api_schema_tests.erl |   4 +
 9 files changed, 210 insertions(+), 196 deletions(-)

@lukebakken lukebakken mentioned this pull request Jan 10, 2017
Closed
This was referenced Mar 13, 2017
Closed
Closed
@lukebakken lukebakken mentioned this pull request Apr 7, 2017
Closed
@martincox martincox closed this Jun 14, 2019
@martincox martincox deleted the features/lrb/pb-separate-encrypted-port branch June 14, 2019 09:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexmoore alexmoore Awaiting requested review from alexmoore

@angrycub angrycub Awaiting requested review from angrycub

@JeetKunDoug JeetKunDoug Awaiting requested review from JeetKunDoug

@bsparrow435 bsparrow435 Awaiting requested review from bsparrow435

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lukebakken @thumbot @martincox