GithubHelp home page GithubHelp logo

enable TLS about kwil-db HOT 3 CLOSED

Yaiba avatar Yaiba commented on August 22, 2024 1
enable TLS

from kwil-db.

Comments (3)

jchappelow avatar jchappelow commented on August 22, 2024

I can do this. I'll take a look when I wrap up validator state persistence (hopefully tomorrow).

from kwil-db.

Yaiba avatar Yaiba commented on August 22, 2024

I can do this. I'll take a look when I wrap up validator state persistence (hopefully tomorrow).

Cool. I'm not entirely sure, but we probably could reuse node_key.json or priv_validator_key.json(from cometBft)

from kwil-db.

jchappelow avatar jchappelow commented on August 22, 2024

Thoughts from the chat this morning, including @charithabandi's comments on slack --

For the root CA-signed certificate option, letsencrypt/certbot can get these on demand, but they kinda suck because they expire in 60 days, placing a burden on both the operators and us as developers for supporting hot reloading of update certificates. Potentially solveable, but likely to be a headache in perpetuity.

Hosting self-signed .cert files (generally PEM formatted) for download, which the client may use, feels best now, but we should think about it more.

The option that is like what @Yaiba said uplink does, which is disable certificate verification on the client and override the verification method used by the standard library's TLS negotiation:

    conf := &tls.Config{
         InsecureSkipVerify: true,
         VerifyPeerCertificate: customVerify,
    }

Potentially we could define customVerify in such a way that it performs a drastically simplified verification, using only a pre-accepted node public key or fingerprint to just verify. I am researching if and how we can craft this tls config so that just node pubkeys (not actual x509 certificates) can be used to at least gain encrypted communication without losing the ability to authenticate the remote host, even if we ignore many of the intended checks of the normal TLS certificate verification process (host name matches cert, not expired, etc).

An open question is how Fractal intends to configure their load balancers that are intended to site between clients and the federated network nodes. If it's a raw TCP reverse proxy, then it's on the kwild nodes to negotiate. If the idea is to setup a gRPC or HTTP/2-aware proxy, then TLS would terminate there. That could solve problems, but it might make new ones.

from kwil-db.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.