Connecting to an SSL enabled server requires you mention a trustCertChainFile. Why?

216 views
Skip to first unread message

kARTHIK R

unread,
Aug 8, 2018, 8:53:09 PM8/8/18
to Gremlin-users
This is similar to an old question asked here (https://groups.google.com/d/msg/gremlin-users/0C3Z5I6URow/bbo2lpusCwAJ)
I have a gremlin server which has SSL enabled and it uses a cert signed by Verisign. Now when I'm setting up my client, I set ssl.enabled to true. But I don't mention any trustCertChain file explicitly. (Verisign Root CA is already bundled with my JRE). However, my logs are flooded with the following, which concerns me:

WARN  org.apache.tinkerpop.gremlin.driver.Cluster  - SSL configured without a trustCertChainFile and thus trusts all certificates without verification (not suitable for production)

Looking into the code a bit, it looks like while creating a cluster, if I'm turning on ssl, then I have to mention a trustCertChainFile, else it assumes that I'm talking to a server that operates with self signed certs, and skips endpoint validation.

Is my understanding right? If yes, why do we enforce this? I am able to talk to the endpoint using curl without having to mention --cacert <cert> as the VeriSign root CA is bundled with the version of curl (and browsers) that I have. I want the same experience when calling from java code. What is the right way for me to make the client process just pick the default JRE truststore for root certificates?

Karthik


Robert Dale

unread,
Aug 9, 2018, 8:18:54 AM8/9/18
to gremli...@googlegroups.com

Hello,
Unfortunately there was a design decision to make the truststore explicit otherwise trust anything.  I agree with your assessment.  I've created TINKERPOP-2022 to address that problem. Until then you'll have to set the parameter to make the message go away. Thanks for raising the issue.

Robert Dale


--
You received this message because you are subscribed to the Google Groups "Gremlin-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/65f8f098-cec5-4f54-9125-0e3464733970%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

kARTHIK R

unread,
Aug 9, 2018, 2:19:40 PM8/9/18
to Gremlin-users
Thanks Robert! I see that you opened a thread in the dev mailing list for this, so lets discuss more details there.

Karthik
Reply all
Reply to author
Forward
0 new messages