Support to restrict TLS options for Ledger Server API (GRPC and JSON)

digital-asset / daml

The Daml smart contract language

https://www.digitalasset.com/developers

796 stars 201 forks source link

Support to restrict TLS options for Ledger Server API (GRPC and JSON) #6678

Open nycnewman opened 4 years ago

nycnewman commented 4 years ago

Change defaults for Ledger Server API (GRPC and JSON) to use minimum TLS version of 1.2 and associated cipher suite
Expose option at command line to allow specific use cases where a different configuration should be used
Support for OCSP or CRL for certificate revocation

cocreature commented 4 years ago

The JSON API does not have any builtin TLS support. It requires that you run it behind some reverse proxy so I think this really only applies to the gRPC API.

ghost commented 4 years ago

There's something to be said for leaving TLS to a dedicated server. I personally trust NGINX to get it right far more than Netty, and it's more configurable too. Why would we not just ask people do use NGINX (or another TCP reverse proxy) to front the GRPC API too?