R4R: Implement HTTPS for the LCD REST server

[alessio]

In order to guarantee a secure connection between apps and the LCD the communication must be encrypted - even if clients and server run on the same local machine, credentials must never be transmitted in clear text.

Upon start up, if no certificate/key file pair is supplied by the user, the server generates a self-signed certificate and a key; both are stored as temporary files and removal is guaranteed on exit.

This new behaviour is now enabled by default, though users are provided
with a --insecure flag to switch it off.

See #595

• Linked to github-issue with discussion and accepted design OR link to spec that describes this work.
• Wrote tests
• Updated relevant documentation (docs/)
• Added entries in PENDING.md with issue #
• rereviewed Files changed in the github PR explorer

---

For Admin Use:

• Added appropriate labels to PR (ex. wip, ready-for-review, docs)
• Reviewers Assigned
• Squashed all commits, uses message "Merge pull request #XYZ: [title]" (coding standards)

[codecov]

Codecov Report

Merging #2364 into develop will decrease coverage by 0.38%.
The diff coverage is 39.87%.

@@             Coverage Diff             @@
##           develop    #2364      +/-   ##
===========================================
- Coverage    64.77%   64.39%   -0.39%     
===========================================
  Files          137      138       +1     
  Lines         8469     8617     +148     
===========================================
+ Hits          5486     5549      +63     
- Misses        2620     2693      +73     
- Partials       363      375      +12

[zmanian]

One of the very important attacks that this change should mitigate is the ability to a website to use javascript to search for an instance of LCD and interact with it b/c the browser will not trust this certificate and javascript can't override this.

[zmanian]

Can anyone think a reason why 10 year validity is dangerous for a ephemeral cert?

In most cases where you would have a unusually long lived instance of the LCD best practice would be to supply your own Cert.

[alessio]

@zmanian I've set it to 1 year already. Do you reckon that is reasonable?

[zmanian]

Maybe 30 days? @jessysaurusrex What do you think?

[alexanderbez]

Certainly not a year either I think. 30 days sounds reasonable. Some other system event might even kill the LCD before that anyway.

[zmanian]

Maybe it should only be localhost?

[alessio]

Dropped a test case for IPv6 addresses too. IMvHO that should be user's call, though "localhost" sounds like a sane default to me.

[zmanian]

Remove the configurability of the self signed cert option and create an option to pass in an externally generated cert.

[zmanian]

utACK

[alexanderbez]

Few minor comments, otherwise great work @alessio 👍

[alexanderbez]

Certainly not a year either I think. 30 days sounds reasonable. Some other system event might even kill the LCD before that anyway.

[alexanderbez]

Should we be using UTC for consistency?

[alexanderbez]

Do we want some other org here? I guess it doesn't really matter for self-signed certs.

[alessio]

Naah, it does not really matter. I could let the user customise it though.

[cwgoes]

Do users see this (maybe if they inspect the certificate) - what about "Gaia Lite" as the organization?

[cwgoes]

Thanks - mostly looks good, a few minor comments.

[cwgoes]

Do users see this (maybe if they inspect the certificate) - what about "Gaia Lite" as the organization?

[cwgoes]

Ah @alessio looks like this breaks the integration tests, can we change those to test the HTTPS server?

Never mind, just an intermittent failure.