Thanks for the great improvements and upgrades to the DataSHIELD tech stack, greatly appreciated. I was eager to try it as soon as possible (just after I’d returned from the Bonn conference).
My setting is
Opal 5.0-RC3 using my local (WSL2) Docker compose based setting, 3 * (Opal+Rock+Mongo) containers + 1 client container (dsBase + R).
The (bash+R) script automatically creates nodes, adds data, users, configures everything then runs simple stat analysis to verify if nothing broke since the last release before we consider upgrading our production environment. I’d say this is simple but good enough local specific regression testing of capabilities we use in our prod env.
It used to work perfectly with previous releases and now I encounter an error when a client is trying to establish a connection.
What works: all the Opal APIs are working fine (import data, configure metadata, create projects, users, assign permissions), no regressions detected, works fine as always.
What broke: the client (dsBase 6.3.0, another container in the same docker-compose network) is unable to connect to the Opal server.
Logging into the collaborating servers
Login study1 [=================>-------------------------------------------------------] 25% / 0sError: [Client error: (400) Bad Request] 400
We use default self-signed TLS certificates for Opal endpoints and the use override when creating client connections.
(options = "list(ssl_verifyhost=0, ssl_verifypeer=0)
(It’s acceptable for this kind of local laptop based dev / testing environment without any sensitive data, we want to avoid unnecessary complexity with certbot etc.).
Now it seems not to be possible anymore due to TLS encryption changes.
I investigated more with curl to provide more info about this issue.
Both
curl -k --resolve https://datashield-opal-1:8443
and
curl -k --resolve datashield-opal-1:8443:172.18.0.10 https://datashield-opal-1:8443
Result in
<html>
<head>
<meta http-equiv=“Content-Type” content=“text/html;charset=ISO-8859-1”/>
<title>Error 400 Invalid SNI</title>
</head>
<body>
<h2>HTTP ERROR 400 Invalid SNI</h2>
<table>
<tr><th>URI:</th><td>https://datashield-opal-1:8443/\</td></tr>
<tr><th>STATUS:</th><td>400</td></tr>
<tr><th>MESSAGE:</th><td>Invalid SNI</td></tr>
</table>
</body>
</html>
Is it expected behavior (increased security etc.)?
Is there a known workaround? (Server-side settings for HTTP endpoint would be my guess).
We’d like to keep an option to use self-signed certificates for testing/local dev purposes. Of course, everything that improves security is well welcome for prod environments.
We’re looking for an off/override switch here.
Please advise.