-
Notifications
You must be signed in to change notification settings - Fork 988
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QSP-4 Use Self-Signed, Secure gRPC Connection by Default #6428
Conversation
6821d6e
to
82b5b78
Compare
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions. |
This pull request has been closed due to inactivity. Please reopen this pull request if you would like to continue working on it. |
@rauljordan re-opened this, please resolve tests and conflicts |
sorry, I just realised this was marked back to a draft, is this still relevant ? |
This pull request has been closed due to inactivity. Please reopen this pull request if you would like to continue working on it. |
What type of PR is this?
What does this PR do? Why is it needed?
Currently, beacon nodes set up an insecure gRPC connection by default unless cert and key flags are passed in. Our security audit instead recommended setting up encrypted communications by default. This PR creates self-signed certificates in datadir/cert.pem and datadir/key.pem when running a beacon node with default options. The beacon node then spins up a gRPC server using TLS configuration with this self-signed cert. The validator client then attempts to connect via TLS. Since it cannot verify the certificate authority properly (as it is self-signed), it will connect with an encrypted connection despite failing certificate authority verification.
Which issues(s) does this PR fix?
Part of #6327