[2.5] Support one-way SSL #3062
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes # .
Description
So far, FL clients and the FL Server must connect via mTLS (i.e. two-way SSL). Customers have been asking for the support of one-way SSL between FL clients and the FL Server. This PR adds this support to Flare 2.5.
When provisioning a project, the Project Admin can now specify "connection_security" property for the whole project, as well as for individual sites (server and clients). Valid values of this property are: clear, insecure, tls, and mtls:
For one-way SSL, the Project Admin can further specify "custom_ca_cert", which must be a valid cert file (extension must be .pem). If specified, then the client will use it to connect to the server, instead of using the provisioned CA cert. Custom CA Cert is necessary when the customer wants to connect the client to a middleman like ALB, where the cert belongs to the ALB.
The "connection_security" can also be explicitly set for a site. If set, then the site's connection security takes precedence over the project's connection_security. Hence in the same project, some sites could be running in clear, some in TLS, and some in mTLS. This is necessary to allow customers to deploy FL server and clients according to their IT requirements (e.g. use proxies, ALBs, etc.). This is one step towards the support of BYOConn (bring your own connectivity).
Once provisioned, the fed_server.json and fed_client.json will be generated with the value of "connection_security". If custom CA cert file is provided, it will be copied into the startup kit of each site as "customRootCA.pem".
Note that the "secure_train" arg no longer always determines connection security! The connection security is determined by the value of "connection_security" property specified during provision. If this property is not explicitly specified, then the "secure_train" arg is used to determine connection security, and mTLS is used when secure_train is true.
Note that the Provisioner will continue to generate self-signed certs and keys for all participants, regardless the value of "connection_security". In the future, even if these credentials are not used for connectivity, they will be used for explicit identity verification.
Types of changes
./runtest.sh.