Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat[bmq, mqb]: Support TLS listeners #549

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

hallfox
Copy link
Collaborator

@hallfox hallfox commented Dec 16, 2024

Added

  • TLS configuration in broker config
  • Helper script for generating test certs and CAs
  • TLS options for NtcChannel
  • Loading certificates and authority data specified from bmqbrkrcfg.json
  • SessionOptions to bmq package for configuring client sessions
  • --tls-authority and --tls-version options to bmqtool to configure session options
  • Client sessions will now require broker TLS sessions when TLS protocol versions are specified
  • Create CertificateStore component for bmqio
  • Integration tests for TLS

Changed

  • Update ntf-core and bde dependencies

@hallfox hallfox changed the title Support TLS listeners Feat[bmq, mqb]: Support TLS listeners Dec 16, 2024
@hallfox hallfox force-pushed the tls-poc branch 5 times, most recently from 93f478c to a1e957d Compare December 17, 2024 21:15
Copy link
Contributor

@chrisbeard chrisbeard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very quick pass on the draft

Comment on lines +11 to +12
"loggingVerbosity": "TRACE",
"consoleSeverityThreshold": "TRACE",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change intentional?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, seems like a leftover from local testing

Comment on lines +256 to +257
<< ", status: " << st
<< "]"; // #review st -> status? bug here before
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch

ntca::EncryptionClientOptions encryptionClientOptions;
// Set the minimum version to TLS 1.3
encryptionClientOptions.setMinMethod(ntca::EncryptionMethod::e_TLS_V1_3);
encryptionClientOptions.setMaxMethod(ntca::EncryptionMethod::e_TLS_V1_3);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious to see what others think here. From the ntc docs, it looks like we could use e_DEFAULT here. The client can then use v1.3 up to ntc's max supported version without needing to make code changes here (when 1.4 eventually lands)?

struct EncryptionMethod {
  public:
    /// Enumerate the methods of encryption.
    enum Value {
        /// When specified as a minimum version, the minimum version is
        /// interpreted as the minimum version suggested by the current
        /// standards of cryptography. When specified as a maximum version, the
        /// maximum version is interpreted as the maximum version supported by
        /// the implementation.
        e_DEFAULT,
        ...

Added
=====

- TLS configuration in broker config
- Helper script for generating test certs and CAs
- TLS options for NtcChannel
- Loading certificates and authority data specified from bmqbrkrcfg.json
- SessionOptions to bmq package for configuring client sessions
- --tls-authority and --tls-version options to bmqtool to configure
  session options
- Client sessions will now require broker TLS sessions when TLS protocol
  versions are specified
- Create CertificateStore component for bmqio
- Integration tests for TLS

Changed
=======

- Update ntf-core and bde dependencies

Signed-off-by: Taylor Foxhall <tfoxhall@bloomberg.net>

Signed-off-by: Evgeny Malygin <emalygin@bloomberg.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants