Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No HTTPS support #2

Open
garethr opened this issue Aug 19, 2013 · 4 comments
Open

No HTTPS support #2

garethr opened this issue Aug 19, 2013 · 4 comments

Comments

@garethr
Copy link

garethr commented Aug 19, 2013

etcd supports HTTPS for both transport security and for client authentication with client certificates: https://github.com/coreos/etcd#transport-security-with-https

Do you have any plans or interest in supporting this within etcd-rb? This looks like the most mature etcd ruby client at present, in particular with the handling of the clustering.

It looks like HTTPClient has some SSL support: https://github.com/nahi/httpclient/blob/master/sample/ssl/ssl_client.rb

@iconara
Copy link
Owner

iconara commented Aug 19, 2013

It's on my rough list of things to do, and I'll leave this issue open until I fix it. Thanks for suggesting it. I'll accept a pull request too, if you want to take it on.

@garethr
Copy link
Author

garethr commented Aug 19, 2013

Thanks, if I get chance to have a look I'll let you know. I'm hoping to use in https://github.com/garethr/hiera-etcd for reference.

@ncb
Copy link

ncb commented Oct 31, 2013

I've been experimenting with how to enable SSL support and got it working, but not very elegantly.

The user needs to specify when the launch the initial Etcd::Client.connect() a few things:

  • An optional CA cert file (to handle self-signed server certificates)
  • An optional client certificate and key (signed by a certificate recognised by the etcd service)
  • And optionally whether to perform SSL verification

In the codebase, there's several places where httpclient is called. The challenge I found is ensuring that each time httpclient is called, httpclient.ssl_config is configured correctly. In my hacky version, there didn't seem one obvious place to store the ca_cert_file, client_cert_file and client_key_file variables that could be consistently accessed between httpclient calls in requestable.rb, cluster.rb and node.rb. Maybe someone smarter than me will think of an obvious place to stash it.

Example gist of the minimum http_client.ssl_config setup required here: https://gist.github.com/ncb/7253559

@mindreframer
Copy link
Collaborator

That's interesting, I will take a look at this soonish... Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants