Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

配置HTTPS和SSL通信后报错 #111

Closed
WandQ opened this issue Jul 20, 2023 · 4 comments
Closed

配置HTTPS和SSL通信后报错 #111

WandQ opened this issue Jul 20, 2023 · 4 comments

Comments

@WandQ
Copy link

WandQ commented Jul 20, 2023

我在本地利用docker模拟多台机器后部署了scql项目,并成功跑通了样例demo
我来我尝试使用https进行通信,将https的选项和ssl的选项都打开后,用本地ca自签生成了三份不同的server.key和server.crt文件分别给SCDB和ALICE和BOB。发送查询任务时出现了以下错误
image
附配置文件:
config.yml:

scdb_host: https://localhost:8080
port: 8080
protocol: https
tls:
  cert_file: /data/ssl_certs/server.crt
  key_file: /data/ssl_certs/server.key
query_result_callback_timeout: 3m
session_expire_time: 3m
session_expire_check_time: 100ms
log_level: debug
storage:
  type: mysql
  conn_str: "root:testpass@tcp(172.23.13.246:3306)/scdb?charset=utf8mb4&parseTime=True&loc=Local&interpolateParams=true"
  max_idle_conns: 10
  max_open_conns: 100
  conn_max_idle_time: 2m
  conn_max_lifetime: 5m
grm:
  grm_mode: toygrm
  toy_grm_conf: /home/admin/configs/toy_grm.json
engine:
  timeout: 120s
  protocol: https
  content_type: application/json
  spu:
    protocol: SEMI2K
    field: FM64
    sigmoid_mode: SIGMOID_REAL

gflags.conf :

--listen_port=8080
--datasource_router=embed
--enable_scdb_authorization=true
--engine_credential=__ALICE_CREDENTIAL__
--server_enable_ssl=true
--server_ssl_certificate=/data/ssl_certs/server.crt
--server_ssl_private_key=/data/ssl_certs/server.key
--scdb_enable_ssl_as_client=true
--peer_engine_enable_ssl_as_client=true
--embed_router_conf={"datasources":[{"id":"ds001","name":"mysql db","kind":"MYSQL","connection_str":"db=alice;user=root;password=testpass;host=172.23.13.246;port=3307;auto-re:connect=true"}],"rules":[{"db":"*","table":"*","datasource_id":"ds001"}]}
@jingshi-ant
Copy link
Contributor

从报错看,问题应该是SCDB默认会校验根证书的合法性,而自签证书不被信任,因此如果评估了相应风险,并在测试环境的话,建议把自签的根证书设置为系统信任的根证书:在scdb的container中执行:sudo cp ${your_ca_file} /etc/ssl/certs

@WandQ
Copy link
Author

WandQ commented Jul 20, 2023

从报错看,问题应该是SCDB默认会校验根证书的合法性,而自签证书不被信任,因此如果评估了相应风险,并在测试环境的话,建议把自签的根证书设置为系统信任的根证书:在scdb的container中执行:sudo cp ${your_ca_file} /etc/ssl/certs

嗯嗯,这样跑通了,我注意到engine那边可以配置scdb_enable_ssl_client_verification=false,这是用来选择证书ca的有效性的吧?scdb有没有类似的配置呢?生产环境中有可能会用到自签的证书

@jingshi-ant
Copy link
Contributor

从报错看,问题应该是SCDB默认会校验根证书的合法性,而自签证书不被信任,因此如果评估了相应风险,并在测试环境的话,建议把自签的根证书设置为系统信任的根证书:在scdb的container中执行:sudo cp ${your_ca_file} /etc/ssl/certs

嗯嗯,这样跑通了,我注意到engine那边可以配置scdb_enable_ssl_client_verification=false,这是用来选择证书ca的有效性的吧?scdb有没有类似的配置呢?生产环境中有可能会用到自签的证书

目前没有提供配置关闭默认校验。
另:scdb的tls会校验证书签发机构,是go中 http.Server pkg的默认行为,可以修改代码关闭,如果有业务需求后续可以考虑支持可配置化,也欢迎contribution~

@WandQ
Copy link
Author

WandQ commented Jul 20, 2023

从报错看,问题应该是SCDB默认会校验根证书的合法性,而自签证书不被信任,因此如果评估了相应风险,并在测试环境的话,建议把自签的根证书设置为系统信任的根证书:在scdb的container中执行:sudo cp ${your_ca_file} /etc/ssl/certs

嗯嗯,这样跑通了,我注意到engine那边可以配置scdb_enable_ssl_client_verification=false,这是用来选择证书ca的有效性的吧?scdb有没有类似的配置呢?生产环境中有可能会用到自签的证书

目前没有提供配置关闭默认校验。 另:scdb的tls会校验证书签发机构,是go中 http.Server pkg的默认行为,可以修改代码关闭,如果有业务需求后续可以考虑支持可配置化,也欢迎contribution~

好的,感谢

@WandQ WandQ closed this as completed Jul 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@WandQ @jingshi-ant