HTTPS must be forced for RPC connections #79
Assignees
Comments
|
I would suggest that we only enable |
|
I am using parity nodes configured as private networks for bridge testing, so, it is not only for compile-time. |
yrashk
added a commit
to yrashk/parity-bridge
that referenced
this issue
May 24, 2018
Solution: by default, disallow use of non-TLS RPC endpoints For testing, there's an escape hatch of a command line argument `--allow-insecure-rpc-endpoints` (purposefully long) that will reduce the severity of using a non-TLS RPC endpoint to a warning in a log file. It was not made to be a configuration file option to reduce the risk of this option slipping into a production configuration file by mistake. Closes omni#79
ghost
assigned
yrashk
added a commit
to yrashk/parity-bridge
that referenced
this issue
May 28, 2018
Solution: by default, disallow use of non-TLS RPC endpoints For testing, there's an escape hatch of a command line argument `--allow-insecure-rpc-endpoints` (purposefully long) that will reduce the severity of using a non-TLS RPC endpoint to a warning in a log file. It was not made to be a configuration file option to reduce the risk of this option slipping into a production configuration file by mistake. Closes omni#79
yrashk
added a commit
to yrashk/parity-bridge
that referenced
this issue
May 31, 2018
Solution: by default, disallow use of non-TLS RPC endpoints For testing, there's an escape hatch of a command line argument `--allow-insecure-rpc-endpoints` (purposefully long) that will reduce the severity of using a non-TLS RPC endpoint to a warning in a log file. It was not made to be a configuration file option to reduce the risk of this option slipping into a production configuration file by mistake. Closes omni#79
yrashk
added a commit
to yrashk/parity-bridge
that referenced
this issue
Jun 4, 2018
Solution: by default, disallow use of non-TLS RPC endpoints For testing, there's an escape hatch of a command line argument `--allow-insecure-rpc-endpoints` (purposefully long) that will reduce the severity of using a non-TLS RPC endpoint to a warning in a log file. It was not made to be a configuration file option to reduce the risk of this option slipping into a production configuration file by mistake. Closes omni#79
noot
pushed a commit
to noot/poa-bridge
that referenced
this issue
Jul 18, 2018
Solution: by default, disallow use of non-TLS RPC endpoints For testing, there's an escape hatch of a command line argument `--allow-insecure-rpc-endpoints` (purposefully long) that will reduce the severity of using a non-TLS RPC endpoint to a warning in a log file. It was not made to be a configuration file option to reduce the risk of this option slipping into a production configuration file by mistake. Closes omni#79
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As per recommendation from a team provided security audit for POA bridge it is needed to force https connection for RPC communications.
In other words RPC connection must not succeed if HTTP is used and the bridge instance must stop.
For testing purposes a new parameter like
force_httpscould be introduced in the configuration file. It's value should beyesby default. If it is necessary to use HTTP connection instead of HTTPS the parameter needs to be set tono.The text was updated successfully, but these errors were encountered: