Use SSL for cluster communications

EventStoreDB
#1

Is it possible to use SSL for cluster communications when using IP addresses for gossip seeds (i.e. DNS is not an option)?

So you’re doing something like this:

var builder = ClusterSettings.Create();
var gossipBuilder = builder.DiscoverClusterViaGossipSeeds();
var seedBuilder = gossipBuilder.SetGossipSeedEndPoints(
endPoints.Select(e => new GossipSeed(e)).ToArray());
var eventStoreConnection = EventStoreConnection.Create(
settings,
seedBuilder,
“default”);

``

And you would like to have invoked:

settings.UseSslConnection - which takes a hostname and a bool indicating if you want to validate the certificate.

I suppose if you don’t validate the cert this might work out - but assuming that that’s important, is there another way to make SSL work?

#2

A few things are being conflated here...

1) client->node communications (this happens over SSL if configured
whether single node or cluster).
2) node discovery (gossip) this happens without SSL
3) internode communications (replication) this happens over SSL if configured

Trying to understand your question, you are looking at #1 here and
looking at how to validate certs if you don't know which node you will
connect to? The hostname refers to the certificate host not the host
for gossip etc https://github.com/EventStore/EventStore/blob/release-v3.5.0/src/EventStore.ClientAPI/ConnectionSettingsBuilder.cs#L255

Greg

#3

The intent of the question is #1.

One is setting up a connection from a client process to a cluster, one is not able to create multiple DNS records to allow cluster discovery.

How does one set up the client to communicate with the cluster nodes over SSL, assuming the nodes themselves have been correctly set up?

One can assume the latest version of the .NET API and the 3.4 OSS server.

Brian

#4

See previous reply. The hostname refers to the certificate hostname,
this has nothing to do with how you discovered the node.

#5

"The hostname refers to the certificate hostname,
this has nothing to do with how you discovered the node. "

Reading between the lines, it would seem that the event store client will consider the connection validated if the certificate on the node has a hostname that matches the hostname supplied in UseSslConnection, and also checks out with the CA?

#6

Yes.