Discussion on changing protocol from "http" to "https"

[pshao25]

I've tried locally this is feasible. Open up this issue to discuss whether we should do this.

Background: For all the MPG client and some DPG client that using oauth2, .net SDK has a policy that "the protocol must be https". I think java has the same problem but not sure if other languages have.

When I try to bypass this check, there are some subsequent issues. So we are thinking changing cadl-ranch from "http" to "https", which means we need certificate. A self-signed certificate is the easiest way. Question is where we put this certificate:

Option 1 In the source code of cadl-ranch. Cons: I'm not sure if it violates any compliance, since it contains private key, though we really don't care about the privacy of this certificate.

Option 2 Every time we start the server, we call a script somewhere to generate this certificate. Cons: needs to install openssl in the build agent, and generating a cert might cost several seconds.

Impacts for the client At least for .net client, there will be a certificate check for each call. We need to bypass this check because the certificate is self-signed. If other languages have this check too, they need to bypass it as well.

[lirenhe]

@pshao25, shall we make cadl-ranch lightweight and put more effort for client/server testing for protocol related tests?