Intent to drop tls as default

Question

Intent to drop tls as default

mmlb opened this issue 3 years ago · 5 comments

We've discussed this for a long time and generally have landed on support for dropping TLS from here (see #456). I'd like to make insecure the default and opt in for tls support. Sandbox will continue having tls support as it makes sense there, but tink-server doesn't really need it for dev purpose in its docker-compose setup. This makes local development easier and also lines up with letting a tls terminating proxy handle TLS and leave the tink connection clear and debuggable (w/o needing something like #162)

Expected Behaviour

tink-server can be started easily after go build

Current Behaviour

Need to first procure or generate tls certificates before starting tink-server.
Generic grpc debug tools need to be passed the certificates if signing keys are not in a trusted chain.
Its just a pain.

Answer 1 · 2021-11-15T19:02:59.000Z

I would like to propose three alternative proposals to this proposal :)

Keep TLS as the default, but allow it to be disabled with a command line option along the lines of --insecure or something else that clearly conveys the intent to the operator
Keep TLS as the default, but allow it to be disabled with an explicit Go build tag at compile time
Create some tooling that automates the creation of a X.509 certificates and private keys for development use only, again clearly communicating the development/testing-only intent to the operator. If I understood how tink works / how it is used, perhaps this could even be used to safely to create an internal PKI

Answer 2 · 2021-11-15T19:48:19.000Z

2 isn’t great because I’d like to use the container image, not rebuild tink.

3 is what we have already and is too much of a pain for development imo and what I’m trying to avoid doing.

1 makes sense and goes with @jacobweinstock's wishes too #456 (comment)

Answer 3 · 2021-11-29T20:34:44.000Z

I should have added that Manny and I spoke about this, and decided that TLS will remain the default, but can be disabled with a as-of-yet unnamed CLI argument.

Answer 4 · 2021-11-29T20:58:53.000Z

WIP code is up at https://github.com/mmlb/tink/tree/non-tls-by-default if anyone wants to follow along or take it up

Answer 5 · 2022-04-18T21:39:45.000Z

TLS will stay default but we no longer require it and we no longer have the wonky code that makes self-signed certs easy and the normal trusted CA based certs not-super-great, which are both what I wanted to address so this can be closed. This was fixed via #584 .