Questions about TLS


(vladimir) #1

When should we use flag
flag.Bool("tls.use_system_ca", false, "Include System CA into CA Certs.")
from golang client?


(Rocky Sharma) #2

Maybe, when you generate your own signed CA file or may be also one from letsencrypt as they are system signed file.

Purchased one like from comodo or others , CA files are available in public directory, so it doesn’t require to point specially.


(vladimir) #3

When I using TLS for servers, is it TLS connections between replicas servers too?


(Daniel Mai) #4

Currently TLS connections are only between clients and servers, not between the servers themselves.


(vladimir) #5

How I can use TLS with zero server? If I using

/state
or
/removeNode?id=3&group=2

it’s can do any person who knows ip.


(Daniel Mai) #6

Keep Zero in a private network accessible to the Server(s). It doesn’t need to have a public IP.

Currently TLS configuration is between clients and servers. Communication of Server-to-Server and Server-to-Zero is not encrypted, so it’s best to have them communicate within a private network.


(vladimir) #7

For high availability, I using 3 servers for replication in different data centers. And I need public IP for communication between servers.
Can I using

https://some.site:5080 
or 
https://some.site:7080

for TLS communication between servers?


(Daniel Mai) #8

Servers can be in different data centers and be within the same private network.

Server-to-server communication will not happen over TLS at this time.


(James) #9

does docker swarm overlay network consider secure server to server?


(Daniel Mai) #10

Yes, setting up IPSec tunnels like Docker Swarm encrypted overlay networks would encrypt the network traffic between the Dgraph Servers.