-
-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support TLS server sockets #266
Comments
I think it's a good idea in general and I see your prototype doesn't introduce any deps, so I'd consider something like this for upstream inclusion. My main concern is the long-term maintenance of this functionality, though, as TLS is not exactly my specialty. :-) We'll also need to document this extensively (both the rationale and the usage) for upstream inclusion. |
Thanks @bbatsov I've cleaned up the code a bit. My speciality is also not TLS unfortunately. As long as the Java API does not change, I think that "upgrading" the TLS protocol used is as easy as updating I'm no expert, but from what I understand elliptic curve keys have become more mainstream since Aphyr's original version. They are shorter and faster. Adding support for them (or another keytype that Java supports), was as easy as adding a string to a vector here. With regard to this I'm not all that worried that maintaining this will be too hard. At least insofar as maintaining only means keeping used protocol versions up to date. I will try to document both rationale and usage. |
Sounds like a plan to me. Thanks for the update and for working on this! |
@ivarref Any progress here? |
Hi @bbatsov Sorry for the long delay again. I have been sick lately. I haven't forgotten about this though. I want to make the following changes/improvements:
I hope to get time for this soon. |
No rush! |
Hi again @bbatsov I've created a pull request: What do you think? Thanks again! Edit: And documents how it is to be used.
Edit 2: |
Implemented in #283. |
Is your feature request related to a problem? Please describe.
Currently our containers are running inside private virtual networks in Azure. There is no SSH available on the containers' hosts. Thus we have to bind to
0.0.0.0
when starting nREPL servers. If someone gets access to the virtual network, they will also have access to all backends that exposes nREPL servers.Describe the solution you'd like
I'd like to be able to run
nrepl.server/start-server
with either:tls-keys-str
or:tls-keys-file
to further strengthen security.Describe alternatives you've considered
I've considered running apache-mina on the containers. This adds additional dependencies. The JVM already supports TLS (no extra dependencies needed).
Additional context
I have a working proof of concept at ivarref/nrepl and ivarref/cert-friend (the latter only for writing keys). It's based on aphyr/less-awful-ssl, but updated to use TLS v1.3, as well as adding some string utils.
0.9.0-SNAPSHOT
into the local repository:Notice the s in nrepls.
127.0.0.1:5600
) using your favorite editor/IDE.Thanks and kind regards.
The text was updated successfully, but these errors were encountered: