Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time 
Hi Karsten,

thanks for the proposal. I have added some comments below...

Kai

On Mon, 2017-03-06 at 12:09 +0000, Frank Karsten (INST/ECS4) wrote:
> Hello,
> 
> while writing a HelloWorld tutorial for Hono to produce a Java client that is
> as simple as possible,
> I found out that:
> 
> - the Hono client is written for both variants (encrypted/unencrypted) and
> switches to "amqps" resp. "amqp" as protocol designator
> 
> - the Hono server though currently can be configured to EITHER encrypted (based
> on hono.server.keyStorePath) OR unencrypted (if hono.server.keyStorePath is
> null, i.e. not configured) communication
> 
> 
> -> I propose to make the Hono server more flexible, so that both variants can
> be supported at the same time.
> 
> 
> Following I have in mind:
> 
> 1.) default should remain "only one port configured for SSL"
> 
agreed, we should always bind a "secure" port if keys are configured

> Hono server will always insist on finding this already available port and
> behaves like implemented: opens it for EITHER encrypted OR unencrypted
> communication.
> 
> Configuration:
> 
> hono:
>    server:
>       port: 5672
> 
> 
if keys are configured the secure port should better be 5671 which is the IANA
registered port for AMQPS (aka AMQP over TLS)

> 2.) optionally a second port can be opened
> 
> Configuration:
> 
> hono:
>    server:
>       unEncryptedPort: 5671
> 
I'd rather call the ports "secure" and "unsecure" and the default for "unsecure"
should be 5672 (as defined by the spec)

> 
> If Hono server additionally finds the port "unEncryptedPort" configured, it
> will open this as well and always opens it for unencrypted communication.
> 
> 3.) Hono client remains unchanged - it already works with both variants of
> server ports.
> 
IMHO we should adapt its behavior based on the default ports for secure and
unsecure communication, i.e. if no port is specified but a trust store is
configured, we should assume 5671 as the port, otherwise 5672

> 
> What do you think?
> 
> Looking forward to feedback...
> 
> Karsten (sysexcontrol)
> 
> Bosch Software Innovations GmbH
> Development Core Products (INST/ECS6-Be)
> Schöneberger Ufer 89-91
> 10785 Berlin
> GERMANY
> www.bosch-si.de
> www.blog.bosch-si.com
>  
> Tel. +49 30 726112-403
> Fax +49 30 726112-100
> Karsten.Frank@xxxxxxxxxxxx
> 
> Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB
> 148411 B
> Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn
> 
> _______________________________________________
> hono-dev mailing list
> hono-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/hono-dev

Back to the top