search

hashgraph / hedera-sdk-java

Hedera™ Hashgraph SDK for Java
https://docs.hedera.com/guides/docs/sdks
Apache License 2.0
230 stars 120 forks source link

Complete TLS support #601

Closed SimiHunjan closed 3 years ago

SimiHunjan commented 3 years ago

Problem

The SDK currently does not have complete TLS support.

Solution

Hedera Services will be adding TLS support in the 0.17.0 release to enable complete TLS support.

Alternatives

No response

SimiHunjan commented 3 years ago

Hedera services to add support for compatible cipher suite https://github.com/hashgraph/hedera-services/issues/2053

janaakhterov commented 3 years ago

@steven-sheehy @Sean-Tedrow-LB @mehcode TLS questions that come to mind: 1) Should TLS be the default connection? 2) Should you be able to turn off TLS? 3) If someone runs a local network on different ports than 50211 for plaintext and 50212 for TLS how should we handle that? Should the user be able to set which port is for plaintext and which is for TLS or should we simply not support TLS on any network that is not running on those ports? The point here is if someone creates a client for this local network and lets say wants to upgrade the connections to use TLS with something like Client.setUseTransportSecurity(true), would we implicitly try to change the port to 50212?

steven-sheehy commented 3 years ago
  1. Should TLS be the default connection?

Not anytime soon at least. Still trying to get it to work.

  1. Should you be able to turn off TLS?

Yes

  1. If someone runs a local network on different ports than 50211 for plaintext and 50212 for TLS how should we handle that? Should the user be able to set which port is for plaintext and which is for TLS or should we simply not support TLS on any network that is not running on those ports? The point here is if someone creates a client for this local network and lets say wants to upgrade the connections to use TLS with something like Client.setUseTransportSecurity(true), would we implicitly try to change the port to 50212?

I don't think we need to worry about local nodes until we have permissionless nodes or maybe at least have community nodes. Long term it should use the address book, whether that's the static one checked in or one pulled from an API. I've previously created a ticket that should make it easy to determine: https://github.com/hashgraph/hedera-services/issues/1452

janaakhterov commented 3 years ago

Considering we now have some basic integration tests that test TLS with testnet and previewnet I think we can safely close this issue. I've created a new issue for upgrading the usability of TLS in the SDKs #672