Skip to content

Graceful SSL degradation #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 6, 2016
Merged

Graceful SSL degradation #48

merged 2 commits into from
Apr 6, 2016

Conversation

technige
Copy link
Contributor

@technige technige commented Apr 4, 2016

This should fix issue #46

@pontusmelke
Copy link
Contributor

Looks fine to me. Just a question: Could it be a problem that we are silently downgrading default to be insecure. I am thinking could we give some sort of warning when running the driver on older version, maybe here https://github.com/neo4j/neo4j-python-driver/blob/1.0-graceful-ssl-degradation/neo4j/v1/ssl_compat.py#L24?

@technige
Copy link
Contributor Author

technige commented Apr 5, 2016

Yes, I wondered that too but wasn't sure where/when to inject the warning. Thinking about this again though, maybe a warning should appear on the _firs_t time that a driver instance is created with default encryption/trust.

@pontusmelke pontusmelke merged commit c40e4dc into 1.0 Apr 6, 2016
@pontusmelke pontusmelke deleted the 1.0-graceful-ssl-degradation branch April 6, 2016 09:15
@Alan-R
Copy link

Alan-R commented Apr 25, 2016

Is it possible for the application to know what has happened one way or the other?

Can you disable non-SSL (http-only) in neo4j if you really care... That would apply to all uses of the API, which would be broader and more effective...

@zhenlineo
Copy link
Contributor

I am not sure if I got your question, but I'll give it a try.
You could config the database to accept SSL enabled, http-only connections.

Say you has a port 1234, you could config it to open for ssl-enabled, http-only connections by using the following settings in a Neo4j database:

dbms.connector.1234.address=localhost:1234
dbms.connector.1234.enabled=true
dbms.connector.1234.encryption=TLS
dbms.connector.1234.type=HTTP

If you got another port 4321, and you want to config it differently, then just set it accordingly, such as:

dbms.connector.4321.address=localhost:4321
dbms.connector.4321.enabled=true
dbms.connector.4321.encryption=REQUIRED
dbms.connector.4321.type=BOLT

Then you explicitly set what kind of connections that you want for different ports.
For more info: http://neo4j.com/docs/operations-manual/3.0/#_configuring_bolt_connectors

Hope this answered your questions :)

@Alan-R
Copy link

Alan-R commented Apr 25, 2016

@nigelsmall - I might recommend that people do things like @zhenlineo suggested if they really care about making sure that they don't accidentally get unencrypted connections. That's better than anything you can do through neo4j anyway. But having a way to ask "Did I get an encrypted connection?" still seems like a reasonable thought. Not required, just food for thought. If your application cares, then you can ask. If you don't know about SSL (too old), then your current action is backwards-compatible.

@zhenlineo It looks like you can't disable http-only connections (exactly one http connector).

@technige
Copy link
Contributor Author

You can already work this out by using driver.encryption which will return True or False depending on whether the driver produces encrypted sessions or not.

@Alan-R
Copy link

Alan-R commented Apr 25, 2016
edited
Loading

Good answer. Thanks @nigelsmall !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@technige @pontusmelke @Alan-R @zhenlineo