Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time

Good answer, thank you Paolo!

I try again to summarize (in my words) and merge all the ideas:



1) leverage the IANA defaults if "hono.server.port" is not configured :

"hono.server.keyStorePath" found -> 5671, otherwise 5672.

Used Port is logged explicitly as INFO.


2) let the user explicitly configure the "hono.server.port":

only print a warning if that violates the IANA defaults from 1), but nevertheless open the desired port.

Used Port is logged explicitly as INFO.


3) additional insecure port available if flag "hono.server.allowInsecure = true":

Port determined by "hono.server.insecurePort":

-  set? then use it

- not set? then use the IANA default 5672

Exception for this port during startup if:
- port conflicts with 1)  (misconfiguration)
- configured to port 5671 (not necessary or desirable to support this configuration).



Personally I think this could be the solution - it is flexible, simple enough and enforces IANA defaults.

What do you think?

Karsten

Bosch Software Innovations GmbH
Development Core Products (INST/ECS6-Be)

Schöneberger Ufer 89-91

10785 Berlin

GERMANY

www.bosch-si.de
www.blog.bosch-si.com
 
Tel. +49 30 726112-403

Fax +49 30 726112-100

Karsten.Frank@xxxxxxxxxxxx


Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB 148411 B

Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn


Von: hono-dev-bounces@xxxxxxxxxxx [hono-dev-bounces@xxxxxxxxxxx]" im Auftrag von "Paolo Patierno [ppatierno@xxxxxxxx]
Gesendet: Montag, 6. März 2017 18:11
An: hono developer discussions
Betreff: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time

I'm a bit confused about that because it seems that in this way the "hono.server.port" can have two different meanings ...


Secure port if keyStorePath is set

Insecure port if keyStorePath is not set


but then ... if we set the keyStorePath, then the Insecure port is specified with another parameter "hono.server.insecurePort".


Making hono.server.port mandatory we can't leverage on the IANA defaults.


If it's not mandatory and using the Kai's idea around the "allowInsecure" flag we can have : 


1) 

keyStorePath = <keyStorePath>

port = not configured or <port>


Only secure default 5671 (or <port>)


2)

keyStorePath = <keyStorePath>

port = not configured or <port>

allowInsecure = true

insecurePort = not configured or <insecurePort>


both secure default 5671 (or <port>) and insecure (or <insecurePort>)


Agree about warnings if default ports are used in the "wrong" way.


Paolo Patierno
Senior Software Engineer (IoT) @ Red Hat
Microsoft MVP on Windows Embedded & IoT
Microsoft Azure Advisor 

Twitter : @ppatierno
Linkedin : paolopatierno
Blog : DevExperience



From: hono-dev-bounces@xxxxxxxxxxx <hono-dev-bounces@xxxxxxxxxxx> on behalf of Frank Karsten (INST/ECS4) <Karsten.Frank@xxxxxxxxxxxx>
Sent: Monday, March 06, 2017 4:57 PM
To: hono developer discussions
Subject: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time
 
Thanks for all comments, I like to refine my proposal with the goal to keep things simple to the following:



1.) "hono.server.port" :

Is mandatory.

We stick to the strategy that Hono decides if the port is secure only by trying to find a "keyStorePath" configured.

We then reflect the standard port behaviour for AMQP (5671 secure, 5672 insecure) by printing a WARNING to the log files if it is violated.

Warnings are printed for:
- 5671 but no keyStorePath found
- 5672 but keyStorePath found

Why that?
I would prefer warnings instead of exceptions only for flexibility: to start several Hono instances on the same machine (without using docker) sometimes could be very
handy, and this would not be possible anymore if Hono refuses to start.




2.) "hono.server.insecurePort":

Is optional, and always insecure, so no keyStorePath for that port.

Must never be set to 5671 (exception thrown) - the secure port can only be configured for the "hono.server.port".



This would be still rather simple, still flexible and to a certain amount reflect the standard port behaviour for AMQP.

What do you think?

Bosch Software Innovations GmbH
Development Core Products (INST/ECS6-Be)

Schöneberger Ufer 89-91

10785 Berlin

GERMANY

www.bosch-si.de
www.blog.bosch-si.com
 
Tel. +49 30 726112-403

Fax +49 30 726112-100

Karsten.Frank@xxxxxxxxxxxx


Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB 148411 B

Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn


Von: hono-dev-bounces@xxxxxxxxxxx [hono-dev-bounces@xxxxxxxxxxx]" im Auftrag von "Paolo Patierno [ppatierno@xxxxxxxx]
Gesendet: Montag, 6. März 2017 17:07
An: hono developer discussions
Betreff: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time

Some scenarios ... because I have a little confusion on the possibilities ...


1)

hono.server.keyStorePath = null

hono.server.port not configured

hono.server.unsecurePort not configured (or hono.server.unsecurePort = <unsecure_port>)


Hono server opens only the default "unsecure" 5672 (or <unsecure_port>) port or throws an exception because we want AT LEAST the secured one ? So "unsecure port" not configured means ... no open this port


2)

hono.server.keyStorePath = <keyStorePath>

hono.server.port not configured (or hono.server.port not configured = <port>)

hono.server.unsecurePort not configured


Hono server opens only the default "secure" 5671 port (or <port>)


3)


hono.server.keyStorePath = <keyStorePath>

hono.server.port not configured (or hono.server.port not configured = <port>)

hono.server.unsecurePort = <unsecure_port>


Hono server opens both default "secure" 5671 (or <port>) and <unsecure_port>


What is the way to open both default ports ?


It seems to me that setting or not hono.server.keyStorePath --> open or not a "secure" port


But what about opening the "unsecure" one ? Not configured --> open the default 5672 or not open it ?


Thanks,

Paolo




Paolo Patierno
Senior Software Engineer (IoT) @ Red Hat
Microsoft MVP on Windows Embedded & IoT
Microsoft Azure Advisor 

Twitter : @ppatierno
Linkedin : paolopatierno
Blog : DevExperience



From: hono-dev-bounces@xxxxxxxxxxx <hono-dev-bounces@xxxxxxxxxxx> on behalf of Maas Ingo (INST/ECS4) <Ingo.Maas@xxxxxxxxxxxx>
Sent: Monday, March 06, 2017 3:48 PM
To: hono developer discussions
Subject: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time
 
Improving Kai's proposal, I would prefer "insecure" instead of "unsecure".

Kind regards,

Ingo Maas

Bosch Software Innovations GmbH
INST/ECS4
Schöneberger Ufer 89 - 91
10785 Berlin
GERMANY
www.bosch-si.de

Tel. +49 30 726112-156
Fax +49 30 726112-100
ingo.maas@xxxxxxxxxxxx

Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB 148411 B
Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn

________________________________________
Von: hono-dev-bounces@xxxxxxxxxxx [hono-dev-bounces@xxxxxxxxxxx]&quot; im Auftrag von &quot;Hudalla Kai (INST/ECS4) [Kai.Hudalla@xxxxxxxxxxxx]
Gesendet: Montag, 6. März 2017 14:33
An: hono-dev@xxxxxxxxxxx
Betreff: Re: [hono-dev] Support for encrypted and unencrypted AMQP port in Hono at the same time

Hi Karsten,

thanks for the proposal. I have added some comments below...

Kai

On Mon, 2017-03-06 at 12:09 +0000, Frank Karsten (INST/ECS4) wrote:
> Hello,
>
> while writing a HelloWorld tutorial for Hono to produce a Java client that is
> as simple as possible,
> I found out that:
>
> - the Hono client is written for both variants (encrypted/unencrypted) and
> switches to "amqps" resp. "amqp" as protocol designator
>
> - the Hono server though currently can be configured to EITHER encrypted (based
> on hono.server.keyStorePath) OR unencrypted (if hono.server.keyStorePath is
> null, i.e. not configured) communication
>
>
> -> I propose to make the Hono server more flexible, so that both variants can
> be supported at the same time.
>
>
> Following I have in mind:
>
> 1.) default should remain "only one port configured for SSL"
>
agreed, we should always bind a "secure" port if keys are configured

> Hono server will always insist on finding this already available port and
> behaves like implemented: opens it for EITHER encrypted OR unencrypted
> communication.
>
> Configuration:
>
> hono:
>    server:
>       port: 5672
>
>
if keys are configured the secure port should better be 5671 which is the IANA
registered port for AMQPS (aka AMQP over TLS)

> 2.) optionally a second port can be opened
>
> Configuration:
>
> hono:
>    server:
>       unEncryptedPort: 5671
>
I'd rather call the ports "secure" and "unsecure" and the default for "unsecure"
should be 5672 (as defined by the spec)

>
> If Hono server additionally finds the port "unEncryptedPort" configured, it
> will open this as well and always opens it for unencrypted communication.
>
> 3.) Hono client remains unchanged - it already works with both variants of
> server ports.
>
IMHO we should adapt its behavior based on the default ports for secure and
unsecure communication, i.e. if no port is specified but a trust store is
configured, we should assume 5671 as the port, otherwise 5672

>
> What do you think?
>
> Looking forward to feedback...
>
> Karsten (sysexcontrol)
>
> Bosch Software Innovations GmbH
> Development Core Products (INST/ECS6-Be)
> Schöneberger Ufer 89-91
> 10785 Berlin
> GERMANY
> www.bosch-si.de
> www.blog.bosch-si.com
>
> Tel. +49 30 726112-403
> Fax +49 30 726112-100
> Karsten.Frank@xxxxxxxxxxxx
>
> Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB
> 148411 B
> Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn
>
> _______________________________________________
> hono-dev mailing list
> hono-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/hono-dev
_______________________________________________
hono-dev mailing list
hono-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/hono-dev
_______________________________________________
hono-dev mailing list
hono-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/hono-dev

Back to the top