Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to use server in production #37

Open
alaahil opened this issue Mar 14, 2024 · 9 comments
Open

Need to use server in production #37

alaahil opened this issue Mar 14, 2024 · 9 comments

Comments

@alaahil
Copy link

alaahil commented Mar 14, 2024

We are considering to use the server in production along with local CA implementation. We are aware that when we start the server we have the notification not to use it in Production mode. Is it possible to clarify what are the risks in doing so, in order to try to find a workaround?
@toddgaunt-gs
Copy link
Collaborator

Hey @alaahil, this implementation of EST wasn't ever written to be used in a production environment as is. The client is intended to be used with EST server implementations, however the EST server in this repository is only meant for testing/development purposes for the EST client. The server was not designed to be run as a production CA.

The warning is there to emphasize that if anyone does take this code and run it in a production environment, it is up to them to review the code and ensure that the system they are running it in is secure as a proper CA implementation needs to be. The risks of using this code in production is that you would likely be the first to be doing so with this implementation, so any bugs or security flaws that may exist in this codebase will need to be managed and patched by your team if you discover any.

@alaahil
Copy link
Author

alaahil commented Mar 14, 2024

Thank you for the very quick response. Is there any package or repository that you recommend to use on the server side?

@toddgaunt-gs
Copy link
Collaborator

toddgaunt-gs commented Mar 14, 2024
edited
Loading

If you're looking for an off-the-shelf solution, I unfortunately don't have anything to recommend. This implementation could be used as a base and hardened but as the license says 😄

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

@alaahil
Copy link
Author

alaahil commented Mar 14, 2024

Alright perhaps a good start. is there a documentation somewhere about the usage and how to use my own CAs?

@toddgaunt-gs
Copy link
Collaborator

Depends on what this is going to be used for, but openssl is a good start. I would recommend looking for advice within your company on this issue.

@alaahil
Copy link
Author

alaahil commented Mar 14, 2024

I mean is there documentation of this package usage other than the readme?

@toddgaunt-gs
Copy link
Collaborator

Other than the README and what is documented in code comments, there isn't anything else no.

@alaahil
Copy link
Author

alaahil commented Mar 15, 2024

Ok thank you
I will bother you with one last question. Can I assume that the server is implementing [RFC7030] correctly and I worry about hardening?

@toddgaunt-gs
Copy link
Collaborator

I hope it is, but I'm not willing to provide any guarantees as I wasn't the original author :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alaahil @toddgaunt-gs