R4R: Implement HTTPS for the LCD REST server #2364
Conversation
alessio
requested review from
cwgoes,
ebuchman and
rigelrozanski
as code owners
Codecov Report
@@ Coverage Diff @@
## develop #2364 +/- ##
===========================================
- Coverage 64.77% 64.39% -0.39%
===========================================
Files 137 138 +1
Lines 8469 8617 +148
===========================================
+ Hits 5486 5549 +63
- Misses 2620 2693 +73
- Partials 363 375 +12 |
alessio
force-pushed
the
alessio/595-lcd-over-https
branch
2 times, most recently
from
e474e98 to
44b929a
Compare
alessio
changed the title
alessio
requested review from
fedekunze,
faboweb,
jaekwon,
alexanderbez,
zmanian and
ValarDragon
|
One of the very important attacks that this change should mitigate is the ability to a website to use javascript to search for an instance of LCD and interact with it b/c the browser will not trust this certificate and javascript can't override this. |
client/lcd/certificates.go
Outdated
| ) | ||
|
|
||
| // default: 10 years | ||
| const defaultValidFor = 365 * 24 * time.Hour |
There was a problem hiding this comment.
Can anyone think a reason why 10 year validity is dangerous for a ephemeral cert?
In most cases where you would have a unusually long lived instance of the LCD best practice would be to supply your own Cert.
There was a problem hiding this comment.
@zmanian I've set it to 1 year already. Do you reckon that is reasonable?
There was a problem hiding this comment.
Maybe 30 days? @jessysaurusrex What do you think?
There was a problem hiding this comment.
Certainly not a year either I think. 30 days sounds reasonable. Some other system event might even kill the LCD before that anyway.
client/lcd/certificates.go
Outdated
| // default: 10 years | ||
| const defaultValidFor = 365 * 24 * time.Hour | ||
|
|
||
| func generateSelfSignedCert(host, ecdsaCurve string, rsaBits int) (certBytes []byte, priv interface{}, err error) { |
There was a problem hiding this comment.
Maybe it should only be localhost?
There was a problem hiding this comment.
Dropped a test case for IPv6 addresses too. IMvHO that should be user's call, though "localhost" sounds like a sane default to me.
alessio
force-pushed
the
alessio/595-lcd-over-https
branch
from
5cbf95b to
4f00d6b
Compare
alessio
force-pushed
the
alessio/595-lcd-over-https
branch
from
01f350c to
0e1d5d9
Compare
In order to guarantee a secure connection between apps and the LCD the communication must be encrypted - even if clients and server run on the same local machine, credentials must never be transmitted in clear text. Upon start up, the server generates a self-signed certificate and a key. Both are stored as temporary files; removal is guaranteed on exit. This new behaviour is now enabled by default, though users are provided with a --insecure flag to switch it off. See #595
alessio
force-pushed
the
alessio/595-lcd-over-https
branch
from
0e1d5d9 to
f5ea1e6
Compare
client/lcd/certificates.go
Outdated
| ) | ||
|
|
||
| // default: 10 years | ||
| const defaultValidFor = 365 * 24 * time.Hour |
There was a problem hiding this comment.
Certainly not a year either I think. 30 days sounds reasonable. Some other system event might even kill the LCD before that anyway.
client/lcd/certificates.go
Outdated
|
|
||
| func generateSelfSignedCert(host string) (certBytes []byte, priv *ecdsa.PrivateKey, err error) { | ||
| priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) | ||
| notBefore := time.Now() |
There was a problem hiding this comment.
Should we be using UTC for consistency?
client/lcd/certificates.go
Outdated
| template := x509.Certificate{ | ||
| SerialNumber: serialNumber, | ||
| Subject: pkix.Name{ | ||
| Organization: []string{"Acme Co"}, |
There was a problem hiding this comment.
Do we want some other org here? I guess it doesn't really matter for self-signed certs.
There was a problem hiding this comment.
Naah, it does not really matter. I could let the user customise it though.
There was a problem hiding this comment.
Do users see this (maybe if they inspect the certificate) - what about "Gaia Lite" as the organization?
client/lcd/certificates.go
Outdated
| template := x509.Certificate{ | ||
| SerialNumber: serialNumber, | ||
| Subject: pkix.Name{ | ||
| Organization: []string{"Acme Co"}, |
There was a problem hiding this comment.
Do users see this (maybe if they inspect the certificate) - what about "Gaia Lite" as the organization?
|
Never mind, just an intermittent failure. |
In order to guarantee a secure connection between apps and the LCD the communication must be encrypted - even if clients and server run on the same local machine, credentials must never be transmitted in clear text.
Upon start up, if no certificate/key file pair is supplied by the user, the server generates a self-signed certificate and a key; both are stored as temporary files and removal is guaranteed on exit.
This new behaviour is now enabled by default, though users are provided
with a
--insecureflag to switch it off.See #595
docs/)PENDING.mdwith issue #Files changedin the github PR explorerFor Admin Use: