Turn On Additional SSL Services

[benofben]

In node.sh flip on encryption for bolt, etc.

[drumcircle]

On it

[drumcircle]

Fixed pending verification

[benofben]

I don't know how to test this is all working. It'd be good to check with some people more familar with this part of the product and make sure all this is functioning properly.

[drumcircle]

It has been established that bolt+s does not work with SSC and bolt+ssc is not selectable from Browser, Desktop (or Bloom), and also doesn't work on Google chrome. So we need to decide how to cleanup and remove encrypted communication to tools and a workflow/method for quickly/easily generating domains + certs for labs and non-prod use.

[drumcircle]

Oskar Hane 8:44 AM +ssc doesn't apply to web browsers. The OS handles the trusting of certificates for them. You need to go to a web page that uses that cert and there you'll be prompted to manually trust it (i.e. the https version of the neo4j-browser url on the same machine as where neo4j is hosted). After that's done, you can use +s.

[benofben]

Got it. So three things.

1. If we trust the self signed cert, we'd expect +s to work then. That's not the behavior I'm observing. So, why is that? Are we configured incorrectly or is there a product issue?
2. I would think +ssc would work outside the web browser, for instance with a python driver running from a laptop connecting to the cluster using neo4j+ssc://someip. We should verify that works.
3. How do we verify the other services are running -- encryption between nodes, etc.

[drumcircle]

1. +s only works with public signed certs. +scc does not work with web browsers. this is all apparently as-designed. https in the web browser (which works for ssc on safari) triggers +s in javascript which fails. so use http (no ssl) for all management in labs (and suggest that IP whitelisting is appropriate for dev/test/lab).
2. correct will verify.
3. will investigate.

[benofben]

"triggers +s in javascript which fails" --- So it doesn't work. But is a product bug. Yes?

Because "ignore warnings" gets us logged into https at 7473 but it's unusable because of the lack of a +ssc option once you're there if I'm understanding correctly.

[drumcircle]

Yes. The bug is either in product or documentation. But what we observe is:

When self-signed certificates are configured in Neo4J, accessing browser, bloom fails under HTTPS, which is accessible from Safari (and other browsers, not Chrome). In desktop, connection via +SSC is not available (because it uses chrome under the covers presumably) and +S doesn't work.

The current behavior would call for a simple disclaimer in docs:

SSC is useful for direct, programmatic connections only, but not through client tools or a web browser.

[benofben]

Seems fair. I suspect we'd want to open a ticket with everything we've learned here, assuming one doesn't already exist.

The question of the other services remains. Chat about it all next week...

[benofben]

Looks like the current version with the loop unrolled is only doing https and bolt.

The previous loop (which admittedly didn't work properly) had four services:

for service in bolt https cluster backup; do

So, we need to do cluster and backup too.

[drumcircle]

Should the template be setup for different certificates on each of the services? This seems overkill for 99% of situations.

[drumcircle]

Updated config, pushed to branch: feature/3_additional_services_shared

Left separate directories for dbms.ssl.policy cer neo4j (1).conf.txt tificates.