Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

客户端与服务器 通讯支持加密协议(TLS) #432

Closed
davionchen opened this issue Jun 14, 2022 · 2 comments · Fixed by #456
Closed

客户端与服务器 通讯支持加密协议(TLS) #432

davionchen opened this issue Jun 14, 2022 · 2 comments · Fixed by #456
Labels
config Configuration Center enhancement New feature or request good advanced issue suitable for basis of source code issue-shoot issue-shoot activity service Service registration discovery, service governance

Comments

@davionchen
Copy link

What is the feature you want to add?

客户端与服务器 通讯支持加密协议

Why do you want to add this feature?

公有云环境的链路要加密,避免数据泄露的风险。

How to implement this feature?
阶段一:支持加密协议;先单向认证 ,再双向认证。
阶段二:支持服务证书与客户端证书动态更新,平滑过度。

Additional context
Add any other context or screenshots about the feature request here.
@davionchen davionchen added the enhancement New feature or request label Jun 14, 2022
@chuntaojun chuntaojun changed the title 客户端与服务器 通讯支持加密协议,满足云上金融合规要求 客户端与服务器 通讯支持加密协议(TLS) Jun 14, 2022
@chuntaojun chuntaojun added apisever good advanced issue suitable for basis of source code labels Jun 14, 2022
@andrewshan
Copy link
Member

需要在当前的GRPC协议加入tls的支持

@andrewshan andrewshan added the issue-shoot issue-shoot activity label Jun 14, 2022
@andrewshan andrewshan mentioned this issue Jun 14, 2022
Closed
@JasonChen86899
Copy link
Contributor

JasonChen86899 commented Jun 19, 2022
edited
Loading

方案一:

  1. 制作证书,包含服务端证书和 CA 证书
    包含三个文件

ca.crt server.key server.crt
关于证书生成这里 需要生成带有 SAN 扩展的证书

  1. 服务端启动时加载证书;
  2. 客户端连接时使用CA 证书校验服务端证书有效性。

服务端配置文件做如下修改:
在apiserver配置下新增tls配置
apiservers:
  name:service-grpc
  option:
   xxxxxx
 api:
  xxxxxx
 tls:
  serverCert:
  serverKey:
  caCert:

客户端配置文件需要在各个语言客户端进行适配,配置文件如ploaris-go的ploaris.yml 文件新增grpc的tls的ca证书文件地址配置

方案二:
服务端:开启ca证书发布接口,在服务启动/重启和证书更新时发布ca证书,开启双grpc端口,以便平滑过度
客户端:启动时获取ca证书 监听上述接口获取证书的更新,而后切换通信通道

以上两个方案都需要现在grpc服务端有相应功能代码,这部分可以先开发

@JasonChen86899 JasonChen86899 mentioned this issue Jun 20, 2022
Merged
8 tasks
@andrewshan andrewshan added config Configuration Center service Service registration discovery, service governance and removed apisever labels Jun 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
config Configuration Center enhancement New feature or request good advanced issue suitable for basis of source code issue-shoot issue-shoot activity service Service registration discovery, service governance
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: 通讯支持加密协议TLS JasonChen86899/polaris
4 participants
@davionchen @JasonChen86899 @chuntaojun @andrewshan