英文:
How do I enable TLS on an Apache Arrow FlightClient in Java?
问题
以下是已翻译的内容:
-
clientCertificate(InputStream clientCertificate, InputStream clientKey)
:clientCertificate(InputStream clientCertificate, InputStream clientKey)
方法用于设置客户端证书和密钥。 -
useTls()
:useTls()
方法用于启用TLS(传输层安全)。 -
overrideHostname(String hostname)
:overrideHostname(String hostname)
方法用于覆盖主机名。 -
trustedCertificates(InputStream stream)
:trustedCertificates(InputStream stream)
方法用于设置信任的证书。 -
verifyServer(boolean verifyServer)
:verifyServer(boolean verifyServer)
方法用于验证服务器。
需要使用它们中的哪些以启用和使用TLS与FlightServer
建立连接,以及它们之间的关系?
英文:
The documentation for the Java Apache Arrow (v11.0.0
) FlightClient.Builder
has several methods related to constructing a TLS-enabled client:
clientCertificate(InputStream clientCertificate, InputStream clientKey)
useTls()
overrideHostname(String hostname)
trustedCertificates(InputStream stream)
verifyServer(boolean verifyServer)
The descriptions aren't detailed enough for me to understand which ones are needed to enable and use TLS in connections with a FlightServer
. There could easily be some gap in my understanding of TLS that would help me more easily consume this documentation.
Do I need to use all of these? Are some of them redundant? How are they related?
答案1
得分: 1
我看了一下实现这个API的代码,以获取一些见解。
useTls
只是告诉底层客户端构建器开始组装TLS启用的SSL上下文。通过将grpc+tls
方案附加到位置属性可以实现相同效果。
其余的选项用于添加到SSL上下文中。上下文构建器由io.netty.handler.ssl.SslContextBuilder
提供。
clientCertificate(cert, key)
将提供的证书/密钥添加到SSL上下文的密钥管理器。trustedCertificates(cert)
将提供的证书添加到信任管理器(用于第三方连接验证)。verifyServer(bool)
如果上述两者中的任何一个提供,不能为false
,因为它们需要用于验证服务器。如果为false
,信任管理器将仅使用InsecureTrustManagerFactory.INSTANCE
进行设置。overrideHostname(hostname)
在通道构建器上调用底层的overrideAuthority()
。这与我尝试做的事情没有真正关系。
我需要使用所有这些选项吗(忽略overrideHostname
)?这取决于客户端将连接到的服务器上的TLS配置。
它们中有哪些是多余的?如果location
属性已经附加了TLS方案,那么useTls()
是多余的。
英文:
I took a look at the code that implements this API for some insights.
useTls
simply tells the underlying client builder to start putting together SSL Context for the TLS-enabled client. The same effect is achieved by having the grpc+tls
scheme attached to the location attribute.
The rest of the options are used for adding to the SSL Context. The context builder is provided by io.netty.handler.ssl.SslContextBuilder
.
clientCertificate(cert, key)
adds the provided cert/key to the SSL Context's key manager.trustedCertificates(cert)
adds the provided cert to the trust manager (for third party connection verification).verifyServer(bool)
cannot befalse
if either of the above two are provided, since they are required to verify the server. If this isfalse
, the trust manager will simply be set up usingInsecureTrustManagerFactory.INSTANCE
.overrideHostname(hostname)
calls the underlyingoverrideAuthority()
on the channel builder. This isn't really related to what I'm trying to do.
Do I need to use all of these (ignoring overrideHostname
)? It depends on how the TLS is configured on the server the client will connect to.
Are any of them redundant? useTls()
is redundant if the location
attribute already has the TLS scheme attached.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论