TheThingsNetwork / lorawan-stack

The Things Stack, an Open Source LoRaWAN Network Server
https://www.thethingsindustries.com/stack/
Apache License 2.0
978 stars 307 forks source link

Remove authenticating LoRaWAN Backend Interfaces client by trusted CAs #6026

Open johanstokking opened 1 year ago

johanstokking commented 1 year ago

Summary

Remove authenticating LoRaWAN Backend Interfaces clients with TLS client authentication. This removes the validation logic for the certificate authority (CA) per SenderID.

Current Situation

Currently, interop.sender-client-ca contains CA configuration per SenderID. When a LoRaWAN Backend Interfaces client presents a certificate, The Things Stack validates it against the trusted CA with the given SenderID.

Why do we need this? Who uses it, and when?

We don't use this anymore; The Things Stack is no longer intended to be used as a stand-alone Join Server or roaming server.

Proposed Implementation

Remove certificate validation logic from the server pkg/interop.

The client should still support presenting TLS client certificates as other products likely require TLS client authentication.

Contributing

Code of Conduct

johanstokking commented 1 year ago

Since we have users of this, let's do this as part of a major bump. It doesn't hurt too much keeping it in the codebase.