Details
-
Improvement
-
Status: Open
-
Medium
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Current odl-netconf-device model (and netconf-node-topology as result) provides no configuration option which defines which private key and trusted certificate to be used by SslHandler when establishing TLS connection. In fact SslHandler is built using a KeyStore instance containing all the private keys and all the trusted certificates which are currently defined in a datastore.
More entries are defined in datastore the larger SslHandler instance became, the longer handshake procedure may take. Using same set of keys and certificates for any TLS device may also cause in issue when single un-parseable entry results every TLS device connection failure as described in NETCONF-821
In order to lightweight SslHandler instance, making handshake faster, configuration more clear and transparent it seems reasonable to provide per device TLS options.
Suggested following configuration options under TLS container (connection-parameters grouping):
- leaf-list private-key-id – private key ids
- leaf-list trusted-certificate-id – trusted certificate ids
Both expected to be optional and act as filter if defined, full set to be used if undefined
Attachments
Issue Links
- relates to
-
NETCONF-821 Mounting a device does not work when multiple TLS Certificates are present
-
- In Progress
-