TLS doc instructions with curl circumvent security by distributing private key

Moved from GitHub dgraph/5363

Posted by darkn3rd:


The documentation under Using Curl with Client authentication instructs users to use the node.key for REQUIREANY or REQUIREANDVERIFY. This has two problems:

  • violates security as what should be a private key is not distributed and shared. This should never be demonstrated or recommended.
  • doesn’t show how to support to use client key to authenticate client.

The purpose of using REQUIREANDVERIFY is to make sure the client is authenticated to interact with Dgraph, as opposed to any client using https with dgraph service.