search

decred / dcrwallet

A secure Decred wallet daemon written in Go (golang).
https://decred.org
ISC License
211 stars 153 forks source link

Allow client certificate authentication to dcrd RPC #2345

Closed jrick closed 2 months ago

jrick commented 2 months ago

When the new config option --dcrdauthtype=clientcert is set, a client certificate and key (set by --dcrdclientcert and --dcrdclientkey) will be used to authenticate the dcrd JSON-RPC connection instead of basic authentication with a user and password.

Closes #2101.

matthawkins90 commented 2 months ago

I haven't tested this, but I skimmed the code and it looks exciting. Really glad you finally made this happen! I know we have gencerts to automatically create secure certificates. These aren't the kinds of certs that need your CA to sign them to show they're trusted, right? dcrwallet will just trust dcrd completely if the certs match?

jrick commented 2 months ago

you can use ca-signed certificates and that is what i am using personally as it simplifies a lot of my config, but you can also use self signed certificates (they are their own ca)

and this is only for client authentication, not dcrwallet trusting dcrd's presented server certificates (which remains the same, you have to add it as a trusted certificate/CA with --cafile).

matthawkins90 commented 2 months ago

Got it, thanks for the clarification!