cmd, node, rpc: TLS support

[farazdagi]

What?

• This PR has basic support for transport layer security, and allows servicing RPC requests on HTTPS.
• Both server and console have been updated i.e. you can use geth attach to connect to TLS-enabled node
• Support for self-signed certificates (again both server and client side) has been added
• Extra utils to auto-generate self-signed certificate/key

Why?

• the obvious solution whenever one needs to fix mixed content issues (when you load your Dapp on https and connect to node running on http directly), was to use intermediary relay server, as outlined in comments to Connecting a HTTPS WebAPP to Ethereum #2121
• moreover, it has been stated that the RPC server functionality being targeted to developers probably doesn't need TLS support at all
• one possible use case we have discovered is when Dapps running on Status were communicating with underlying Geth node directly (on mobile device, we try to minimize number of intermediaries, so running the relay server is probably not the best idea)

Details

Server:

# start node, enable TLS, use provided cert/key
geth --testnet --light --rpc --tls --tlscert cert.pem --tlskey key.pem console

# start node, enable TLS, auto-generate cert/key
geth --testnet --light --rpc --tls console

Client:

# connect to TLS-enabled node, use given certificate, treat certificate as its own CA
geth --tlscert tlscert.pem --tlskey tlskey.pem --tlscertca attach https://localhost:8545

# connect to TLS-enabled node, make sure that client accepts any key provided by server
# (including self-signed certificate)
geth --tlsnoverify attach https://localhost:8545

# connect to TLS-enabled node, which uses certificate signed by known CA
geth --tlsnoverify attach https://localhost:8545

Roadmap

• as no prior discussion has been held, the purpose of this PR, at this stage, is more to gauge interest than anything else
• if there will be interest to merge the thingy, then tests will be provided, and overall polishing attempted (guided by recommendations/comments from the core team)
• if there will be no intent to merge, then this PR should be closed. Hopefully, someone looking for TLS-support will be able to locate the PR and, effectively, have a good starting point (thus, community can still benefit)

[mention-bot]

@farazdagi, thanks for your PR! By analyzing the history of the files in this pull request, we identified @fjl, @karalabe and @kenji-isuntv to be potential reviewers.

[obscuren]

Sorry for the late response and thank you for your PR. We're discussing this internally

[obscuren]

We've discussed internally and here's what we decided:

• We'd like to get TLS support for RPC in 1.6 (next version, ~2-4 weeks)
• We like to support TLS through configuration files (not yet supported)
• We do not want TLS to be configurable through CLI flags

Are you interested in doing the extra work once configuration files have been implemented?

[farazdagi]

• Yep, I am definitely interested in doing that extra work
• What tickets/PRs should I watch for config files implementation, I've found:
  • issue Allow configuration via a config file #3332
  • and corresponding (blocked) PR cmd/geth, cmd/utils: support config files for cli params #3424

[obscuren]

@farazdagi: @fjl will reimplement the configuration PR. We've decided to take a different approach. #3424 maps CLI flags directly through configuration; instead we want to add hierarchal configuration options by mapping them directly to our internal config structs.

@fjl: please ping this PR.

[fjl]

We're postponing this this 1.6.1. The RPC server configuration mechanism will be reworked and I'll add support for TLS then.

[nwilson1412]

Hi any update on this, as 1.6.1 is out?

[karalabe]

I don't think anyone worked on TLS since then.

…

On Oct 28, 2017 08:59, "nwilson1412" ***@***.***> wrote: Hi any update on this, as 1.6.1 is out? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3506 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAH6GYUVqDMWZ2Yulq7CuMEW-MVMooPgks5swsK-gaJpZM4LZhSI> .

[jozanza]

Yeah I'd also love an update on this one if possible

[fjl]

We got distracted by other stuff and didn't implement new configuration for RPC endpoints. This is up for grabs if anyone wants to do it.

[pranavburnwal]

+1
Need this...

[tamama]

+1
#16554

[sanguohot]

+1
Need it···