Open stasatdaglabs opened 2 years ago
cdnsteve
commented
2 years ago It seems like TLS might be preferred however we'll need to deal with certificate generation. Does this already exist or is documented anywhere? Otherwise we'll need to provide details around certificate gen and location so it can be passed in config.
It looks like the genkeypair is for wallets and not related to TLS.
someone235
commented
2 years ago It seems like TLS might be preferred however we'll need to deal with certificate generation. Does this already exist or is documented anywhere? Otherwise we'll need to provide details around certificate gen and location so it can be passed in config.
It looks like the genkeypair is for wallets and not related to TLS.
Yeah right, genkeypair is not related to TLS.
I think what we want is to allow some kind of authorized use of the RPC, but then leave an option to the user to decide to allow some restricted list of RPC calls to anonymous users (without auth).
cdnsteve
commented
2 years ago Items discussed in dev chat:
rpcServer is the right place to implement this feature, given we want to offer protection from external gRPC connections and can secure with TLS.
The thinking is that if/when this feature gets enabled, it will likely cause issues with mining software, like BZminer, where Auth will need to be provided (needs to be tested).
The plan is to allow for TLS Auth as optional, not default. In doing so, this will avoid causing any issues with current configurations in miners. This feature would need to be configured to be enabled.
More to come and I'll update progress but this is currently underway in development.
Shoutout to the Kaspa devs in Discord for helping me navigate this and answering lots of questions 👍
Currently, many nodes have RPC ports potentially open to the world Some manner of authentication should be implemented to mitigate it
Suggested solution: gRPC supports authentication out-of-the-box: https://grpc.io/docs/guides/auth/