kadena-io
Use and validate client certificates in P2P connections
Each p2p network peer has an x509 server certificate. Currently there is no authentication of TLS clients. Not authenticating clients makes the network vulnerable to several attacks when ever a peer makes use of the origin a request. See issue #82 for an example.
-
[x] pass peer certificates to HTTP connection manager for usage in new connections.
-
[ ] require client authentication on the server side
-
[ ] extract peer-id and host address from client certificate.
-
[ ] the currently implemented protocol allows Chainweb-nodes to use public DNS names with "official" X509 certificates. Those certificates may not support usage for client authentication. If that turns out to be a common case, we either wouldn't accept connections from these nodes, or reject the "origin" information on BlockHeaders and Cuts that we get from theses nodes, so that we won't pull data from them.
The main use case for public DNS names are boot-strap nodes. These nodes may just offer two endpoints: a read-only and point with the public name for bootstrapping and a second one with an self-signed certificate that is used for querying other nodes as client.
This issue is a prerequisite for #266
