Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement a Generic TLS Configuration in Wrappers #3376

Open
5 tasks
GilboaAWS opened this issue Mar 17, 2025 · 0 comments
Open
5 tasks

Implement a Generic TLS Configuration in Wrappers #3376

GilboaAWS opened this issue Mar 17, 2025 · 0 comments

Comments

@GilboaAWS
Copy link
Collaborator

GilboaAWS commented Mar 17, 2025
edited by avifenesh
Loading

Description

We need to implement a unified and extensible TLS configuration option for our client libraries across all supported languages (Python, Node, Java, Go, etc.). This configuration should encapsulate various TLS settings, including—but not limited to—enabling/disabling certificate verification (e.g., TLS insecure mode), providing client certificates, and specifying CA certificates. The goal is to offer a flexible TLS configuration that can be easily extended for future requirements while ensuring secure defaults.

Motivation

Extensibility:
By introducing a dedicated TLS configuration structure (for example, a TlsConfiguration or TlsAdvancedOptions object), we can easily add more TLS-related parameters in the future, such as specifying paths to client certificates, private keys, and trusted CA certificates.

Enhanced Developer Experience:
Developers need the ability to easily configure TLS options, especially for local development or testing scenarios where using self-signed or unauthorized certificates might be necessary. At the same time, secure defaults should be maintained for production environments.

Security Considerations:
While there may be cases where bypassing certificate validation (i.e., TLS insecure mode) is acceptable for testing purposes, this option must be clearly documented and discouraged for production use to avoid potential security risks like man-in-the-middle attacks.

Proposed Changes

Define a Generic TLS Configuration Structure:

Create a dedicated TLS configuration object (e.g., TlsConfiguration, TlsAdvancedOptions) that encapsulates all TLS-related settings.
This object should support options such as:
Insecure Mode: A flag (e.g., tls_insecure) to bypass certificate validation.
Certificate Settings: Parameters to supply client certificates, private keys, and CA certificates.
Future Extensions: Placeholder for additional TLS options that may be needed later.
Implement Across All Language Wrappers:

Develop and integrate the TLS configuration object in all client libraries (Python, Node, Java, Go, etc.).
Ensure that TLS is secure by default, with the insecure mode and other options available only when explicitly configured.

Documentation and Usage Guidelines:

Clearly highlight the risks associated with disabling certificate validation and advise against its use in production environments.

Tasks

  • Implement TLS configuration support in the Python wrapper. - Python Wrapper - Support TLS insecure #3375
  • Implement TLS configuration support in the Node wrapper.
  • Implement TLS configuration support in the Java wrapper. - #3386
  • Implement TLS configuration support in the Go wrapper.
  • Implement TLS configuration support in the C# wrapper.

Additional Notes

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GilboaAWS