styx icon indicating copy to clipboard operation
styx copied to clipboard
verified publisher icon ExpediaGroup

Sensible defaults for Styx backend TLS settings.

Open mikkokar opened this issue 8 years ago • 0 comments

The problem

Enabling TLS for backend services doesn't work out of the box. Styx insist that trust store is specified (tlsSetings.trustStorePath), even if it would not be used. This is quite burdensome as an empty trust store must be created just for the sake of establishing a TLS connection to backends.

Detailed description

Styx should be more in line with default Java behaviour as described in JSSE Reference Guide:

  • When trustStorePath is absent, Styx should use a trust store specified by javax.net.ssl.trustStore system property.

  • When trustStorePath is absent, and javax.net.ssl.trustStore is not set, then use the default system truststore. This would be, for JDK provider, $JAVA_HOME/lib/security/jssecacerts, or $JAVA_HOME/lib/security/cacerts.

Acceptance criteria

  • Styx will start up with the following tlsSettings configuration, and either use the truststore configured via javax.net.ssl.trustStore system property, or alternatively revert to default keystore.
    - id: "tls11"
      path: "/v11"
      tlsSettings:
        trustAllCerts:       true
        sslProvider:         OPENSSL     # Also supports JDK
      origins:
      - { id: "app1", host: "mybackend:443" }

mikkokar avatar Nov 20 '17 13:11 mikkokar