Code Monkey home page Code Monkey logo

Comments (3)

colinmcintosh avatar colinmcintosh commented on July 27, 2024

Hi @thomarite!

The NoTLS flag is actually a "don't verify TLS" flag. The gNMI specification states that

The session between the client and server MUST be encrypted using TLS - and a target or client MUST NOT fall back to unencrypted sessions.

as such we will always create the connection with a TLS transport, with the option to disable verification. I'm actually surprised that the Arista router started the gNMI server without TLS credentials. You should be able to get up and running with a self-signed certificate on your Arista router which you can generate with these commands:

conf t
security pki certificate generate self-signed cvp.crt key cvp.key generate rsa 2048 validity 30000 parameters common-name cvp
!
management api gnmi
    transport grpc GRPC
        ssl profile SELFSIGNED
!
management security
    ssl profile SELFSIGNED
        certificate cvp.crt key cvp.key

This could probably use some better documentation: that TLS is required and that the NoTLS flag still initiates a TLS session but without verification. I'm thinking the NoTLS flag should also be renamed/(or aliased) to NoTLSVerify to be more clear.

I'll give more thought as well to possibly including the option to completely disable TLS for interoperability purposes given that it seems some implementations of gNMI targets support that.

from gnmi-gateway.

thomarite avatar thomarite commented on July 27, 2024

Thanks @colinmcintosh for the quick answer and clarification! I have followed your instructions and everything works fine. Yes, I think a clarification about the purpose of NoTLS could help to avoid confusions.

Anyway, it is a great tool what you have done! I will keep playing with it.

from gnmi-gateway.

gsl-rosst avatar gsl-rosst commented on July 27, 2024

I'll give more thought as well to possibly including the option to completely disable TLS for interoperability purposes given that it seems some implementations of gNMI targets support that.

I would appreciate this - Arista EOS does not require TLS, and I was querying devices successfully with gnmic and telegraf with no TLS. I was confused why gnmi-gateway would not work until I discovered this issue. Now I have to go generate self-signed certs on all my devices, or use different software.

from gnmi-gateway.

Related Issues (11)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.