You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
High level goal summary: all communication between internal Vespa processes shall be done exclusively over TLS, with mutual peer certificate verification being mandatory.
This is a tracker issue for the work that is planned, in progress and already completed.
Current completed features:
TLS may be enabled for all backend RPC protocols except for indexed search (coming as part of ongoing query dispatch rewrite). This currently in practice requires a distinct CA for the application (and any trusted peers it may communicate with), as no CN/SAN matching is done on the client/server certificates, only that they are signed by the shared CA.
It's possible to do a rolling upgrade from an insecure setup to a secure setup by explicitly configuring servers to accept both plaintext and TLS clients in a transition period.
In progress:
Certificate verification based on per-node configurable CN/SAN matching.
Once the feature is considered complete we'll update the documentation and tutorials etc to help ensure that Vespa is set up with TLS by default when doing things the Recommended Way(tm).
The text was updated successfully, but these errors were encountered:
Open source Vespa now officially supports mTLS across all internal services and endpoints. If you use Vespa Cloud this is—and always has been—enabled without any setup required.
High level goal summary: all communication between internal Vespa processes shall be done exclusively over TLS, with mutual peer certificate verification being mandatory.
This is a tracker issue for the work that is planned, in progress and already completed.
Current completed features:
In progress:
Once the feature is considered complete we'll update the documentation and tutorials etc to help ensure that Vespa is set up with TLS by default when doing things the Recommended Way(tm).
The text was updated successfully, but these errors were encountered: