customized certificate not work
Ha0124 opened this issue · comments
Introduction
When using plaintext certificates for verification, communication between services can occur. If the certificate is encrypted, communication cannot be completed. Can an interface be provided for this type of scenario?
Contents
If I use customized certificates and paired password keys, can it be compatible with such scenarios?
Related work
@Ha0124 hi, thank you for your feedback. When you mentioned 'customized certificates,' are you referring to self-signed certificates? Or are you saying that these certificates have passwords?
If possible, could you provide any feasible solutions or implementations you have encountered or seen in other products?
When i try to use ssl encryption function following by https://docs.nebula-graph.io/3.6.0/7.data-security/4.ssl/ .
I try to use provided case from /tests, download it to local.
and then add
--password_path=/xx/xx/xx/test.ca.password
--key_path=/xx/xx/xx//nebula/test.ca.key
--cert_path=/xx/xx/xx/test.ca.pem
--enable_ssl=true
to nebula-graphd.conf nebula-metad.conf nebula-storaged.conf
but it doesn't work.
when i set --enable_ssl=false, the services can be linked.
Did the ssl encryption function has limits ?
After you configured the SSL information, did you restart the three services?
you should re-generate the certs, you could refer https://github.com/vesoft-inc/nebula-go/tree/master/nebula-docker-compose/secrets for generation and https://github.com/vesoft-inc/nebula-go/blob/master/nebula-docker-compose/docker-compose-ssl.yaml, https://github.com/vesoft-inc/nebula-go/blob/master/nebula-docker-compose/.env for usage in nebula
After the RSA key pair is generated using openssl genrsa
command, we encrypted the RSA key pair using openssl rsa
command with AES-256-CBC. The key file encrypted using AES-256-CBC is used to meet security requirements. However, nebula may not be able to parse such a key file.
the password in nebula just encrypt like passout
in openssl genrsa. e.g.
echo "123456" > passphrase.txt
openssl genrsa -passout file:passphrase.txt -out privkey.pem 2048
# and then password_path should be passphrase.txt
if i doencrypt woth the cert ,will it be accepted in nebula?