Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable TLS support for gRPC client #1060

Merged
merged 4 commits into from
Jun 10, 2021
Merged

Enable TLS support for gRPC client #1060

merged 4 commits into from
Jun 10, 2021

Conversation

romac
Copy link
Member

@romac romac commented Jun 8, 2021
edited by adizere
Loading

Closes: #877

Description

Enable TLS support in Tonic, and add system trust roots to gRPC client.

How to test

To test this, we can use an HTTPS reverse proxy in front of the gRPC endpoint of one of the chains.

  1. Install Caddy
$ brew install caddy

  1. Start the chains with the dev-env scripts

  2. Paste the following in a file named Caddyfile

localhost:2020

log {
    level DEBUG
}

reverse_proxy {
    to 127.0.0.1:9090

    transport http {
        versions h2c 2
    }
}
  1. Start Caddy in a new terminal window
$ caddy run

Caddy may prompt you for your password to install a local-only root CA.
We will remove this CA in step 8.

  1. In the Hermes config, change the grpc_addr of chain ibc-0 from http://127.0.0.1:9090 to https://localhost:2020

  2. Create a channel between ibc-0 and ibc-1:

$ hermes create channel ibc-0 ibc-1 --port-a transfer --port-b transfer -o unordered

  1. The command should succeed and you should see the proxied requests in the terminal window running Caddy.

  2. Run the following command to remove Caddy's root CA (it's a local-only CA so it should be safe but better remove it anyway if not in use)

$ caddy untrust

For contributor use:

  • Updated the Unreleased section of CHANGELOG.md with the issue.
  • If applicable: Unit tests written, added test to CI.
  • Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
  • Updated relevant documentation (docs/) and code comments.
  • Re-reviewed Files changed in the Github PR explorer.

@romac romac changed the title Enable gRPC TLS support with system trust roots Enable TLS support for gRPC client Jun 8, 2021
adizere
adizere approved these changes Jun 10, 2021
View reviewed changes
Copy link
Member

@adizere adizere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Managed to test, the instructions were very good, great work @romac !

@romac romac merged commit ff84aa7 into master Jun 10, 2021
@romac romac deleted the romac/tonic-tls branch June 10, 2021 17:24
@allthatjazzleo allthatjazzleo mentioned this pull request Jun 13, 2021
Closed
5 tasks
@faddat
Copy link
Contributor

faddat commented Jul 9, 2021

Does hermes reject non-https connections?

I am getting:

Error: chain runtime error: event monitor error: failed to create WebSocket driver: WebSocket Error: WebSocket protocol error: invalid HTTP version (code: 1)

@adizere
Copy link
Member

adizere commented Jul 12, 2021

Hi,

This issue concerns the gRPC client, parametrized by the Hermes config.toml grpc_addr option.

https://github.com/informalsystems/ibc-rs/blob/47899196c271f523a1db395202d77072beaa0593/config.toml#L47-L48

It seems like the error you're signalling is from the websocket client. This is the websocket_addr option.

https://github.com/informalsystems/ibc-rs/blob/47899196c271f523a1db395202d77072beaa0593/config.toml#L50-L52

To try to debug this, would you consider sharing your configuration file, at least the relevant options?

hu55a1n1 pushed a commit to hu55a1n1/hermes that referenced this pull request Sep 13, 2022
@romac
Enable TLS support for gRPC client (informalsystems#1060)
cdf47e1 
* Enable gRPC TLS support with system trust roots

* Update changelog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adizere adizere adizere approved these changes

@ancazamfir ancazamfir Awaiting requested review from ancazamfir

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

gRPC TLS support
3 participants
@romac @faddat @adizere