irods encryption settings on client and server
32 views
Skip to first unread message
alsmith20000
Mar 30, 2023, 6:32:47 PM3/30/23
to iRODS-Chat
Hello
I'm trying to understand some client/server encryption settings
My server irods_environment.json file has this now:
"irods_client_server_policy": "CS_NEG_REQUIRE",
"irods_client_server_policy": "CS_NEG_REQUIRE",
I don't have any equivalent setting in my client config but here:
https://docs.irods.org/4.2.8/plugins/pluggable_authentication/#encryption-settings
it says:
https://docs.irods.org/4.2.8/plugins/pluggable_authentication/#encryption-settings
it says:
The following SSL encryption settings are required in irods_environment.json on both sides of the connection (client and server) and the values must match:
- irods_encryption_algorithm (required) - EVP-supplied encryption algorithm for parallel transfer encryption
- irods_encryption_key_size (required) - Key size for parallel transfer encryption
- irods_encryption_num_hash_rounds (required) - Number of hash rounds for parallel transfer encryption
- irods_encryption_salt_size (required) - Salt size for parallel transfer encryption
Could someone comment please:
1. There were no error messages on connection from the client. Are the settings in fact not essential on the client or is my connection not encrypted?
2. Is there a way for me to verify if my connection to irods is encrypted?
Many thanks
Alastair
Robert Verkerk
Mar 31, 2023, 2:31:37 AM3/31/23
to irod-chat
Hi Alastair,
To check if the connection is encrypted we do following:
# enable debug logging:
export IRODS_LOG_LEVEL=9
# execute iRODS command:
ils -l | grep "<CS_NEG_PI>" -A4
This will hopefully show: "CS_NEG_USE_SSL". So you are using openSSL.
If there are other methods I I would kindly learn them.
--
Met vriendelijke groet,
Robert Verkerk
Met vriendelijke groet,
Robert Verkerk
--
--
The Integrated Rule-Oriented Data System (iRODS) - https://irods.org
iROD-Chat: http://groups.google.com/group/iROD-Chat
---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/aff2053a-ae25-48dc-8b8d-8fa02a7b39den%40googlegroups.com.
Kory Draughn
Oct 5, 2023, 12:39:47 PM10/5/23
to irod...@googlegroups.com
Hi Alastair,
The irods_environment.json file only adjusts the client-side connection settings for that user.
If you want to require SSL for all connections to the server, you need to adjust acPreConnect() in core.re. For example:
acPreConnect(*OUT) {
# Require all clients to connect using SSL/TLS.
# If the client isn't using SSL/TLS, drop the connection.
*OUT = "CS_NEG_REQUIRE";
}
With that in place, you'll start to see connection errors for any client that isn't using SSL.
Please see the following for additional information.
The iRODS server will log messages and return information to the client indicating if there's an error in your SSL configuration.
You can also use tools like tcpdump and wireshark to visually inspect SSL communication between the client and the iRODS server.
Hope that helps!
Kory Draughn
Chief Technologist
iRODS Consortium
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/C3620640-9D72-42BD-A4EC-EE8558832416%40surf.nl.
Reply all
Reply to author
Forward
0 new messages