SSL/TLS in a mixed environment

In a mixed environment, each link between P4 Server, proxies, or brokers can be configured to be in either plaintext or SSL/TLS, independent of the encryption choice for any other link. Consider the following examples:

• During a migration from cleartext to SSL/TLS, a P4 Broker can be configured to accept plaintext connections from older P4 Server applications, and to forward those requests (encrypted by SSL/TLS) to a P4 Server that requires SSL/TLS connections.
• A P4 Broker can be configured to listen on tcp:old-server:1666, and redirect all requests to a target of ssl:new-server:1667. Users of new P4 Server applications can use SSL/TLS to connect directly to the upgraded P4 Server (by setting P4PORT to ssl:new-server:1667), while users of older P4 Server applications can continue to use plaintext when connecting to a P4 Broker (by setting P4PORT to old-server:1666). After migration is complete, the broker at old-server:1666 can be deactivated (or reconfigured to require SSL/TLS connections), and any remaining legacy processes or scripts still attempting to connect via plaintext can be upgraded manually.

When migrating from a non-SSL/TLS environment to an SSL/TLS-based environment based on self-signed certificates, it is your responsibility to securely communicate the new server's fingerprint to your users. If you use certificate authority certificates, 2021.1 and later clients will validate your certificate chain without needing a fingerprint.

To learn more, see Key and certificate management.