asynctnt
asynctnt copied to clipboard
igorcoding
SSL support
Fix running tests for Tarantool Enterprise
Stream tests use tarantool -V output to check version. For Tarantool
Enterprise, tarantool -V output is "Tarantool Enterprise
Part of #22
Rename internal _transport variable
"transport" is a keyword that is used to define SSL connection in
Tarantool Enterprise 2.10 and newer. It would be convenient to use
self._transport to store user input transport variable, but this
name is already used to store connection transport. This patch renames
the instance variable.
Part of #22
Support SSL encrypted connection to Tarantool EE
This patch adds support for using SSL to encrypt the client-server communications [1]. The patch is based on a similar patch in tarantool/tarantool-python connector [2].
To use SSL encrypted connection, use Connection parameters:
conn = asynctnt.Connection(host='127.0.0.1',
port=3301,
transport=asynctnt.Transport.SSL,
ssl_key_file='./ssl/host.key',
ssl_cert_file='./ssl/host.crt',
ssl_ca_file='./ssl/ca.crt',
ssl_ciphers='ECDHE-RSA-AES256-GCM-SHA384')
If Tarantool server uses "ssl" transport, client connection also need to use asynctnt.Transport.SSL transport. If server side had ssl_ca_file set, ssl_key_file and ssl_cert_file are mandatory from the client side, otherwise optional. CA file and ciphers are optional. See available ciphers in Tarantool EE documentation [3].
- https://www.tarantool.io/en/enterprise_doc/security/#enterprise-iproto-encryption
- https://github.com/tarantool/tarantool-python/pull/220
- https://www.tarantool.io/en/enterprise_doc/security/#supported-ciphers
Closes #22
Support starting Tarantool server with SSL
SSL encrypted server could be started with Tarantool Enterprise 2.10 or newer. To configure encryption, additional listen params must be passed. ssl_key_file and ssl_cert_file are mandatory if transport is asynctnt.Transport.SSL .
Follows up #22
Add SSL tests
To run SSL tests, use Tarantool Enterprise 2.10 or newer and set TEST_TT_SSL=TRUE flag. The patch is based on a similar patch in tarantool/tarantool-python connector [1].
- https://github.com/tarantool/tarantool-python/pull/220
Follows up #22
To run SSL tests with CI, it is required to have a token to download Tarantool Enterprise Edition. Unfortunately, it seems that it is impossible for now due to legal reasons. We're discussing this with Product team to make it possible or provide some alternative solutions, but for now there are no results.
To run SSL tests with CI, it is required to have a token to download Tarantool Enterprise Edition. Unfortunately, it seems that it is impossible for now due to legal reasons. We're discussing this with Product team to make it possible or provide some alternative solutions, but for now there are no results.
Is there a way to emulate SSL support from Tarantool Enterprise for tests?
nginx proxy + Tarantool or openssl server proxy + Tarantool
It will not be possible to test full compatibility with Tarantool Enterprise, but basic TLSv1.2 support seems to me is possible to test: https://www.tarantool.io/ru/enterprise_doc/security/#traffic-encryption
To run SSL tests with CI, it is required to have a token to download Tarantool Enterprise Edition. Unfortunately, it seems that it is impossible for now due to legal reasons. We're discussing this with Product team to make it possible or provide some alternative solutions, but for now there are no results.
Is there a way to emulate SSL support from Tarantool Enterprise for tests?
nginx proxy + Tarantooloropenssl server proxy + TarantoolIt will not be possible to test full compatibility with Tarantool Enterprise, but basic TLSv1.2 support seems to me is possible to test: https://www.tarantool.io/ru/enterprise_doc/security/#traffic-encryption
@Mons said in Russian Tarantool Community chat discussion that it won't work: https://t.me/tarantoolru/188258
@Mons said in Russian Tarantool Community chat discussion that it won't work: https://t.me/tarantoolru/188258
To be honest, I don't understand why. If we look at the code in the pull request, the binary protocol is simply wrapped by TLS. Could you try to test it (or ask @Mons for the exact reason) to make it clear?
@Mons said in Russian Tarantool Community chat discussion that it won't work: https://t.me/tarantoolru/188258
To be honest, I don't understand why. If we look at the code in the pull request, the binary protocol is simply wrapped by TLS. Could you try to test it (or ask @Mons for the exact reason) to make it clear?
Yeah, I will try to
Thank you for this awesome contribution! Just a few moments I think need to be addressed. And the main concern of mine are automatic tests. It is super important to be able to test automatically in the Github Actions environment this new SSL addition. It is pretty dangerous to be releasing and (which is more important) supporting in the future a functionality that cannot be tested in any way. Please suggest a viable solution to this. Look forward to hearing from you.
Yes, I agree with you. Due to a holiday season we haven't been able to discuss this matter yet, but we definitely will as soon as possible.
@Mons said in Russian Tarantool Community chat discussion that it won't work: https://t.me/tarantoolru/188258
It seems I was wrong
