[BESU-77] - Enable TLS for JSON-RPC HTTP Service #271
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Usman Saleem <usman@usmans.info>
rain-on
reviewed
Dec 20, 2019
ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpService.java
Outdated
Show resolved
Hide resolved
atoulme
reviewed
Dec 20, 2019
ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpService.java
Outdated
Show resolved
Hide resolved
-- Use known clients common name and fingerprint to set up client authentication -- Updated cli option as password for trust store is not requried anymore Signed-off-by: Usman Saleem <usman@usmans.info>
…pdate Signed-off-by: Usman Saleem <usman@usmans.info>
-- Simpligying optional condition to avoid warnings Signed-off-by: Usman Saleem <usman@usmans.info>
-- cli conditions Signed-off-by: Usman Saleem <usman@usmans.info>
-- Adding tls validation test Signed-off-by: Usman Saleem <usman@usmans.info>
…pdate Signed-off-by: Usman Saleem <usman@usmans.info>
-- code formatting fixes Signed-off-by: Usman Saleem <usman@usmans.info>
-- Use Java new HttpClient instead of OkHttp in tls unit test Signed-off-by: Usman Saleem <usman@usmans.info>
-- Enabling junit and ssl debug logging Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
-- Enabling junit and ssl debug logging Signed-off-by: Usman Saleem <usman@usmans.info>
-- Adding loopback ip address in unit test known clients file Signed-off-by: Usman Saleem <usman@usmans.info>
-- ssl debug messages Signed-off-by: Usman Saleem <usman@usmans.info>
-- ssl debug in ethereum build.gradle Signed-off-by: Usman Saleem <usman@usmans.info>
-- spotless fixes Signed-off-by: Usman Saleem <usman@usmans.info>
-- further ssl debugging Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
…pdate Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
…pdate Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
…pdate Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
rain-on
reviewed
Jan 9, 2020
ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/tls/TlsConfiguration.java
Show resolved
Hide resolved
ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/tls/TlsConfiguration.java
Outdated
Show resolved
Hide resolved
ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/tls/TlsConfiguration.java
Outdated
Show resolved
Hide resolved
ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/tls/TlsConfigurationException.java
Show resolved
Hide resolved
…pdate Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
…pdate Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
rain-on
reviewed
Jan 12, 2020
…pdate Signed-off-by: Usman Saleem <usman@usmans.info>
…factoring tlsconfiguration Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
rain-on
approved these changes
Jan 13, 2020
ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/tls/TlsConfiguration.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Usman Saleem <usman@usmans.info>
Signed-off-by: Usman Saleem <usman@usmans.info>
…pdate Signed-off-by: Usman Saleem <usman@usmans.info>
edwardmack
pushed a commit
to ChainSafe/besu
that referenced
this pull request
Feb 4, 2020
Expose following new command line parameters to enable TLS on Ethereum JSON-RPC HTTP interface to allow clients like Ethsigner to connect via TLS --rpc-http-tls-enabled=true (Optional - Only required if --rpc-http-enabled is set to true) Set to ‘true’ to enable TLS. false by default. --rpc-http-tls-keystore-file="/path/to/cert.pfx" (Must be specified if TLS is enabled) Path to PKCS12 format key store which contains server's certificate and it's private key --rpc-http-tls-keystore-password-file="/path/to/cert.passwd" (Must be specified if TLS is enabled) Path to the text file containing password for unlocking key store. --rpc-http-tls-known-clients-file="/path/to/rpc_tls_clients.txt" (Optional) Path to a plain text file containing space separated client’s certificate’s common name and its sha-256 fingerprints when they are not signed by a known CA. The presence of this file (even empty) will enable TLS client authentication i.e. the client will present its certificate to server on TLS handshake and server will establish that the client’s certificate is either signed by a proper/known CA otherwise server trusts client's certificate by reading it's sha-256 fingerprint from known clients file specified above. The format of the file is (as an example): localhost DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50 Signed-off-by: Usman Saleem <usman@usmans.info>
edwardmack
pushed a commit
to ChainSafe/besu
that referenced
this pull request
Feb 4, 2020
Expose following new command line parameters to enable TLS on Ethereum JSON-RPC HTTP interface to allow clients like Ethsigner to connect via TLS --rpc-http-tls-enabled=true (Optional - Only required if --rpc-http-enabled is set to true) Set to ‘true’ to enable TLS. false by default. --rpc-http-tls-keystore-file="/path/to/cert.pfx" (Must be specified if TLS is enabled) Path to PKCS12 format key store which contains server's certificate and it's private key --rpc-http-tls-keystore-password-file="/path/to/cert.passwd" (Must be specified if TLS is enabled) Path to the text file containing password for unlocking key store. --rpc-http-tls-known-clients-file="/path/to/rpc_tls_clients.txt" (Optional) Path to a plain text file containing space separated client’s certificate’s common name and its sha-256 fingerprints when they are not signed by a known CA. The presence of this file (even empty) will enable TLS client authentication i.e. the client will present its certificate to server on TLS handshake and server will establish that the client’s certificate is either signed by a proper/known CA otherwise server trusts client's certificate by reading it's sha-256 fingerprint from known clients file specified above. The format of the file is (as an example): localhost DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50 Signed-off-by: Usman Saleem <usman@usmans.info> Signed-off-by: edwardmack <ed@edwardmack.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR Description
Expose following new command line parameters to enable TLS on Ethereum JSON-RPC HTTP interface to allow clients like Ethsigner to connect via TLS
--rpc-http-tls-enabled=true(Optional - Only required if
--rpc-http-enabledis set to true) Set to ‘true’ to enable TLS. false by default.--rpc-http-tls-keystore-file="/path/to/cert.pfx"(Must be specified if TLS is enabled) Path to PKCS12 format key store which contains server's certificate and it's private key
--rpc-http-tls-keystore-password-file="/path/to/cert.passwd"(Must be specified if TLS is enabled) Path to the text file containing password for unlocking key store.
--rpc-http-tls-known-clients-file="/path/to/rpc_tls_clients.txt"(Optional) Path to a plain text file containing space separated client’s certificate’s common name and its sha-256 fingerprints when they are not signed by a known CA. The presence of this file (even empty) will enable TLS client authentication i.e. the client will present its certificate to server on TLS handshake and server will establish that the client’s certificate is either signed by a proper/known CA otherwise server trusts client's certificate by reading it's sha-256 fingerprint from known clients file specified above. The format of the file is (as an example):
localhost DF:65:B8:02:08:5E:91:82:0F:91:F5:1C:96:56:92:C4:1A:F6:C6:27:FD:6C:FC:31:F2:BB:90:17:22:59:5B:50Signed-off-by: Usman Saleem usman@usmans.info