Need to use server in production

Question

Need to use server in production

alaahil opened this issue 7 months ago · comments

We are considering to use the server in production along with local CA implementation. We are aware that when we start the server we have the notification not to use it in Production mode. Is it possible to clarify what are the risks in doing so, in order to try to find a workaround?

toddgaunt-gs · Answer 1 · Thu Mar 14 2024 22:32:28 GMT+0800 (China Standard Time)

Hey @alaahil, this implementation of EST wasn't ever written to be used in a production environment as is. The client is intended to be used with EST server implementations, however the EST server in this repository is only meant for testing/development purposes for the EST client. The server was not designed to be run as a production CA.

The warning is there to emphasize that if anyone does take this code and run it in a production environment, it is up to them to review the code and ensure that the system they are running it in is secure as a proper CA implementation needs to be. The risks of using this code in production is that you would likely be the first to be doing so with this implementation, so any bugs or security flaws that may exist in this codebase will need to be managed and patched by your team if you discover any.

alaahil · Answer 2 · Thu Mar 14 2024 22:41:52 GMT+0800 (China Standard Time)

Thank you for the very quick response. Is there any package or repository that you recommend to use on the server side?

toddgaunt-gs · Answer 3 · Thu Mar 14 2024 22:55:17 GMT+0800 (China Standard Time)

If you're looking for an off-the-shelf solution, I unfortunately don't have anything to recommend. This implementation could be used as a base and hardened but as the license says 😄

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

alaahil · Answer 4 · Thu Mar 14 2024 23:43:24 GMT+0800 (China Standard Time)

Alright perhaps a good start. is there a documentation somewhere about the usage and how to use my own CAs?

toddgaunt-gs · Answer 5 · Thu Mar 14 2024 23:49:15 GMT+0800 (China Standard Time)

Depends on what this is going to be used for, but openssl is a good start. I would recommend looking for advice within your company on this issue.

alaahil · Answer 6 · Thu Mar 14 2024 23:50:42 GMT+0800 (China Standard Time)

I mean is there documentation of this package usage other than the readme?

toddgaunt-gs · Answer 7 · Fri Mar 15 2024 01:29:02 GMT+0800 (China Standard Time)

Other than the README and what is documented in code comments, there isn't anything else no.

alaahil · Answer 8 · Fri Mar 15 2024 18:51:17 GMT+0800 (China Standard Time)

Ok thank you
I will bother you with one last question. Can I assume that the server is implementing [RFC7030] correctly and I worry about hardening?

toddgaunt-gs · Answer 9 · Fri Mar 15 2024 20:58:10 GMT+0800 (China Standard Time)

I hope it is, but I'm not willing to provide any guarantees as I wasn't the original author :)