Support mTLS 1.3 #2307
Labels
design-review
design review required before implementing work
discussion
enhancement
New feature or request
triage
Comments
kj4ezj
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
TLS was brought up multiple times while discussing issue 2188 in today's ENF Engineering meeting.
Currently,
nodeosdoes not support any kind of encryption between itself and an API client or reverse-proxy. A service provider would deploynodeosbehind a reverse-proxy, where the reverse-proxy performs TLS termination for API clients. Traffic between the reverse-proxy andnodeosflows unencrypted, leaving it vulnerable to attacks in the event the service provider operates in a shared environment or their network is compromised.The industry-standard solution is to use a service mesh to encrypt intra-datacenter communication using mTLS. Mutual TLS provides the added benefit of authenticating the reverse-proxy accessing
nodeos. Other suggested workarounds included tunneling this traffic through a VPN or SSH.Another suggestion still was to directly support an Internet-facing API in Leap using a tool like Mongoose.
This ticket tracks mTLS 1.3 support until that design decision is made, and in the event HTTPS support is added to Leap.
The text was updated successfully, but these errors were encountered: