Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VUU333: Implement SSL on Layout Server #1120

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

pling-scottlogic
Copy link
Contributor

Description

Implements SSL on the layout server so that we can use a secure HTTPS connection when calling from Vuu UI. This will also satisfy the static code analysis and therefore remove the need to reference the calling code in the .semgrepignore file.

Notes

There are a few caveats which require more thought before we can implement TLS:

  1. Certificate & password storage
    • Storing the public certificate isn't an issue. But the layout server needs the private certificate/key in order to encrypt/decrypt for the TLS protocol
    • Uploading the private key to GitHub wouldn't be wise, as this would entirely negate the point of it being private
    • Since we're not hosting this on any platforms yet, and this is all locally developed, we don't have any to-hand third party tools or infrastructure for private key storage
    • It's also not the best idea to push an unencrypted password to GitHub
    • Even if we encrypt the password in application.properties so it's not pushed to GitHub, someone will need to know that password, and it will remain a matter of how do you share that password to all developers who may need it?
  2. Replicating the certificate creation process
    • A possible solution to the private-key storage issue is to get developers who want to use the server to replicate the certificate creation process locally
    • This would work if they made sure to create the certificate with the properties the server expects, as defined in application.properties (keystore type, keystore location, keystore password, key alias)
    • Creating the certificates is super easy with mkcert (the tool we used), as it abstracts away the need for complicated CLI commands, self-signing, trusting, etc. One command handles the whole thing, and makes destroying the tickets super simple too.
    • But this places a blocker on developers being able to use the remote server - it would fail to build if application.properties is expecting certificates to be available which wouldn't be if a developer hadn't generated certs
    • The CLI command could possibly be incorporated into the server build process? Which would negate the need for manual intervention, and ensures all developers will have certs. Costly overhead if it happens every time though.

The certificates that exist on the branch shouldn't be used, because by pushing it remotely we've exposed the private key. If this work is going to be used, make sure to delete the current certificates and regenerate new ones.

Copy link

netlify bot commented Jan 11, 2024

Deploy Preview for papaya-valkyrie-395400 canceled.

Name Link
🔨 Latest commit f4e1cc4
🔍 Latest deploy log https://app.netlify.com/sites/papaya-valkyrie-395400/deploys/659fd67c02c13a0008b438ec

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants