Uploaded image for project: 'Fabric'
  1. Fabric
  2. FAB-6923

Have SDKs generate self-signed TLS certificates for mutual TLS (required even when peer is not setup for mutual TLS)

    XMLWordPrintable

Details

    • Unset
    • Unset
    • Unset

    Description

      In some cases, clients will be deployed without TLS certificates and will connect to the peer when the peer uses TLS.

      In this kind of scenario, the peer would send a certificate request to the client, and it will not send anything back - and then the discovery service would reject the peer's connection.

      In order to ensure the clients will be able to use the discovery service in spite of lack of TLS certificate, we can just have them auto-generate one and self-sign it.
      Then, the peer would obtain the certificate (but not verify it!) and a mutual TLS handshake will take place, which would allow the client to authenticate to the peer.

      Note - for Service Discovery, this is required even when peer is not setup for mutual TLS, that is, even when the peer has clientAuthRequired=false.

      Attachments

        Issue Links

          Activity

            People

              mastersingh24 Gari Singh
              yacovm Yacov Manevich
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: