localsecret: Provide SSL on Port 9091 (gRPC-web) and make it same secure as test / mainnet #1293
Comments
|
Since gRPC-Web seems to have a firm place in the future, and will not be replaced by gRPC-Gateway, (see link below) my open issue for localsecret has gained more importance again, as it is currently not possible via Secret.NET / C# to establish a secure connection via gRPC-Web with localsecret. https://github.com/cosmos/cosmos-sdk/pull/14652/files Client Breaking Changes
gRPC-WebgRPC-Web is now listening to the same address as the gRPC Gateway API server (default: |
|
Hey @0xxCodemonkey , thanks for opening this! Don't see why not provide SSL in Localsecret. |
|
Hey again @0xxCodemonkey :) If possible, a PR would be very appreciated! |
Currently, the configuration of localsecret (Docker) differs from testnet and mainnet and uses HTTP instead of HTTPS on port 9091 (gRPC-web).
This currently leads to problems with some languages that require a certain connection security. In my case I'm talking about Secret.NET, a port of secretjs which uses C# / .NET.
In the case of .NET there are restrictions if you want to establish an unprotected connection via gRPC (see: gRPC services with ASP.NET Core and Troubleshoot gRPC on .NET Core).
There is the possibility to connect .NET to an unencrypted endpoint, but in this case the endpoint has to run only HTTP2 (and no HTTP) over this port because of protocol negotiation. If I see this correctly, localsecret also speaks HTTP on this port and it is therefore not possible for .NET to communicate over this multi-protocol port with localsecret over an unsecure connection
Extract from gRPC services with ASP.NET Core:
Protocol negotiation TLS is used for more than securing communication. The TLS Application-Layer Protocol Negotiation (ALPN) handshake is used to negotiate the connection protocol between the client and the server when an endpoint supports multiple protocols. This negotiation determines whether the connection uses HTTP/1.1 or HTTP/2.
If an HTTP/2 endpoint is configured without TLS, the endpoint's ListenOptions.Protocols must be set to HttpProtocols.Http2. An endpoint with multiple protocols, such as HttpProtocols.Http1AndHttp2 for example, can't be used without TLS because there's no negotiation. All connections to the unsecured endpoint default to HTTP/1.1, and gRPC calls fail.
My suggestion is to either
change port 9091 to HTTPS with a self-signed certificate (see Certificates for localhost)
or to offer a separate port e.g. 9443 with HTTPS (localsecret only) for gRPC-web
The text was updated successfully, but these errors were encountered: