verify Ziti's server cert

openziti / zrok

Geo-scale, next-generation peer-to-peer sharing platform built on top of OpenZiti.

https://zrok.io

Apache License 2.0

2.58k stars 101 forks source link

verify Ziti's server cert #292

Open qrkourier opened 1 year ago

qrkourier commented 1 year ago

zrok should verify Ziti's server certificate before transmitting the Ziti login password

qrkourier commented 1 year ago

A new zrok controller config directive like ca_certs or tls_trust_bundle would be great. It could accept a PEM bundle as a string or file path or both.

qrkourier commented 5 months ago

While working my way back to this, I've mitigated the risk in my zrok instances with two approaches in this order:

two containers (sidecar pattern) or processes sharing a network interface and communicating exclusively via IPC over IP on the loopback interface (ziti mgmt API is not exposed nor published)
two containers in an isolated bridge network communicating exclusively at layer 2 (LAN) (ziti mgmt API is exposed but not published)