Client TLS enabled #319
Client TLS enabled #319
Conversation
Orion is now able to accept TLS connections from a client (web3 provider).
| + "\n" | ||
| + " - strict: All connections to the client connection of this node must use TLS with client authentication\n" | ||
| + " See the documentation 'clientconnectiontlsservertrust'\n" | ||
| + " - off: Mutually authenticated TLS is not used for in- and outbound\n" |
There was a problem hiding this comment.
given this is what people are actually reading, i'd suggest changing 'in-' to 'inbound'
There was a problem hiding this comment.
wanted to not change as much as possible - so have literally cut-and-paste existing descriptions.
There was a problem hiding this comment.
fair enough, i thought this was 'new'.. all good
| schemaBuilder.addString( | ||
| "clientconnectiontlsservertrust", | ||
| "tofu", | ||
| "TLS trust mode for the internal server endpoint. This decides who's allowed to connect to it. Options:\n" |
There was a problem hiding this comment.
break options to new line to make it easier to see when scanning down the page.
There was a problem hiding this comment.
not sure I understand - example?
There was a problem hiding this comment.
...connect to it. Options:\n
vs
connect to it.\nOptions:\n
So that in the usage, its
TLS trust mode for the internal server endpoint. This decides who's allowed to connect to it.
Options:
- blah...
There was a problem hiding this comment.
Ahhhh - going to be difficult and say taht Given this was cut-and-paste, don't want to change all instances.
| "ca-or-whitelist", | ||
| "tofu", | ||
| "insecure-tofa", | ||
| "ca-or-tofu", |
There was a problem hiding this comment.
this, for one, isn't documented above... is the intent to provide usage on all of these options? It'll be hard for people to know they're there if they're not documented...
There was a problem hiding this comment.
tried to update them ... not sure I was successful.
There was a problem hiding this comment.
Ok, it turns out this is probably a bigger issue.
I believe TOFU should be used for clients, TOFA is for servers.
Really - the Valid cases for a server param shouldn't have TOFU in them at all.... but that's where this becomes bigger.
Generally - Orion needs a sweep out - don't want to do it here.
src/test/java/net/consensys/orion/http/ClientConnectionWhiteListTest.java
Outdated
Show resolved
Hide resolved
| + " will be allowed only if it's the first certificate this node has seen for that host.\n"; | ||
|
|
||
| */ | ||
|
|
There was a problem hiding this comment.
NIT: remove the blank line
| assertThrows(SSLHandshakeException.class, () -> upcheckFailsUsingNonTlsClient(config.clientPort())); | ||
| } | ||
|
|
||
| private void upcheckFailsUsingNonTlsClient(final int orionPort) throws Exception { |
There was a problem hiding this comment.
nit: captialise the c in upCheck
Orion is now able to accept TLS connections from a client (web3 provider).