Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

customized certificate not work #5859

Open
Ha0124 opened this issue Apr 16, 2024 · 7 comments
Open

customized certificate not work #5859

Ha0124 opened this issue Apr 16, 2024 · 7 comments
Labels
type/question Type: question about the product

Comments

@Ha0124
Copy link

Ha0124 commented Apr 16, 2024

Introduction

When using plaintext certificates for verification, communication between services can occur. If the certificate is encrypted, communication cannot be completed. Can an interface be provided for this type of scenario?

Contents
If I use customized certificates and paired password keys, can it be compatible with such scenarios?

Related work
@Ha0124 Ha0124 added the type/enhancement Type: make the code neat or more efficient label Apr 16, 2024
@QingZ11
Copy link
Contributor

QingZ11 commented Apr 17, 2024

@Ha0124 hi, thank you for your feedback. When you mentioned 'customized certificates,' are you referring to self-signed certificates? Or are you saying that these certificates have passwords?

If possible, could you provide any feasible solutions or implementations you have encountered or seen in other products?

@Ha0124
Copy link
Author

Ha0124 commented Apr 17, 2024

When i try to use ssl encryption function following by https://docs.nebula-graph.io/3.6.0/7.data-security/4.ssl/ .
I try to use provided case from /tests, download it to local.
and then add
--password_path=/xx/xx/xx/test.ca.password
--key_path=/xx/xx/xx//nebula/test.ca.key
--cert_path=/xx/xx/xx/test.ca.pem
--enable_ssl=true
to nebula-graphd.conf nebula-metad.conf nebula-storaged.conf
but it doesn't work.
20240417-193005(WeLinkPC)

when i set --enable_ssl=false, the services can be linked.
Did the ssl encryption function has limits ?

@QingZ11 QingZ11 added type/question Type: question about the product and removed type/enhancement Type: make the code neat or more efficient labels Apr 18, 2024
@QingZ11
Copy link
Contributor

QingZ11 commented Apr 18, 2024

After you configured the SSL information, did you restart the three services?

@HarrisChu
Copy link
Contributor

HarrisChu commented Apr 18, 2024
edited

you should re-generate the certs, you could refer https://github.com/vesoft-inc/nebula-go/tree/master/nebula-docker-compose/secrets for generation and https://github.com/vesoft-inc/nebula-go/blob/master/nebula-docker-compose/docker-compose-ssl.yaml, https://github.com/vesoft-inc/nebula-go/blob/master/nebula-docker-compose/.env for usage in nebula

@QingZ11 QingZ11 mentioned this issue Apr 18, 2024
Open
@vealfan
Copy link

vealfan commented Apr 18, 2024

After the RSA key pair is generated using openssl genrsa command, we encrypted the RSA key pair using openssl rsa command with AES-256-CBC. The key file encrypted using AES-256-CBC is used to meet security requirements. However, nebula may not be able to parse such a key file.

@HarrisChu
Copy link
Contributor

the password in nebula just encrypt like passout in openssl genrsa. e.g.

echo "123456" > passphrase.txt
openssl genrsa  -passout file:passphrase.txt -out privkey.pem 2048

# and then password_path should be passphrase.txt

@Ha0124
Copy link
Author

Ha0124 commented May 7, 2024

if i doencrypt woth the cert ,will it be accepted in nebula?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/question Type: question about the product
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@HarrisChu @vealfan @QingZ11 @Ha0124