docs: TLS auto-cert and lenient client trust
This commit is contained in:
Joseph Doherty
@@ -375,6 +375,42 @@ deployment-heavy box, multiply per-session SQL connections, and complicate the
|
||||
cold-start path. Wire-side laziness solves the actual pain (oversized gRPC
|
||||
replies and a heavy DOM) without disturbing the materialization model.
|
||||
|
||||
## TLS Auto-Certificate and Lenient Client Trust
|
||||
|
||||
Decision: when a Kestrel `https://` endpoint is configured without a certificate
|
||||
of its own (and no `Kestrel:Certificates:Default` is set), the gateway generates
|
||||
and persists a self-signed certificate rather than failing to start. Clients
|
||||
connecting over TLS without a pinned CA accept whatever certificate the server
|
||||
presents by default; pinning a CA restores full verification.
|
||||
|
||||
Rationale: `mxaccessgw` is an internal tool with no PKI to issue or distribute
|
||||
certificates. The prior behavior — an `https` endpoint with no certificate
|
||||
fails at startup with Kestrel's opaque "no server certificate was specified"
|
||||
error — pushed operators toward plaintext (`h2c`), exposing the API key and
|
||||
request payloads on the wire. Auto-generating a long-lived, persisted, reused
|
||||
certificate lets TLS "just work" with zero certificate management, while the
|
||||
lenient client default means clients connect to that self-signed certificate
|
||||
without a manual trust step. Both choices are deliberate, not oversights:
|
||||
strict-by-default would force PKI work this tool does not warrant. Plaintext-only
|
||||
deployments are untouched — no certificate or key material is written for them —
|
||||
and an operator who supplies a real certificate transparently overrides the
|
||||
generated one.
|
||||
|
||||
Two clients diverge from "accept any certificate" because their gRPC stacks lack
|
||||
a per-channel skip-verify hook:
|
||||
|
||||
- Python uses trust-on-first-use: it fetches the server's presented certificate
|
||||
over a separate unverified probe and pins it for the channel, and defaults the
|
||||
SNI/target-name override to `localhost` (the generated certificate always
|
||||
carries a `localhost` SAN).
|
||||
- Rust is pin-only: tonic exposes no public hook to inject a custom certificate
|
||||
verifier, so TLS over Rust requires either a pinned CA or an explicit opt-in to
|
||||
system-trust verification; otherwise connecting returns a clear, actionable
|
||||
error.
|
||||
|
||||
See [Gateway Configuration — Automatic self-signed certificate](./GatewayConfiguration.md#automatic-self-signed-certificate)
|
||||
and the per-client READMEs for the as-built behavior.
|
||||
|
||||
## Later Revisit Items
|
||||
|
||||
These are explicit post-v1 revisit items, not open blockers:
|
||||
|
||||
Reference in New Issue
Block a user