From 206f27aef5a84584fea213069f18c90b5e745cee Mon Sep 17 00:00:00 2001 From: Christian Decker Date: Mon, 25 Nov 2024 14:52:35 +0100 Subject: [PATCH] docs: Add a FAQ on DPI breaking the encryption --- docs/src/about/faq.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/docs/src/about/faq.md b/docs/src/about/faq.md index cc7d7d17e..6186b0a13 100644 --- a/docs/src/about/faq.md +++ b/docs/src/about/faq.md @@ -26,3 +26,44 @@ request the signer: All of this ensures that only ever the latest state gets signed, and that this signed state doesn't get revoked, making a cheat attempt impossible. + +## Connectivity + +### Why can't I connect to the service from my school/work network? + +For its authentication and authorization Greenlight uses mTLS (mutual +transport layer security), an extension on the usual TLS used for +secure communication in browsers. Unlike normal websites however, +Greenlight requires two things: + + - The server must reply with a server certificate signed by the Greenlight CA. + - The client must use a client certificate signed by the Greenlight CA. + +When you try to access a service that uses mTLS (Mutual Transport +Layer Security) with self-signed certificates, you might encounter +connectivity issues, especially on networks with Deep Packet +Inspection (DPI). + +DPI is a network security technique used to inspect network traffic to +identify potential threats. Some DPI systems can interfere with +encrypted connections, particularly those using self-signed +certificates. These systems often rely on trusted Certificate +Authorities (CAs) to validate certificates. Since self-signed +certificates are not issued by a trusted CA, they may be flagged as +suspicious and blocked. + +The root cause of the issue lies in the network configuration and +security policies of your school or workplace network. They may have +strict security measures in place that restrict traffic based on +certificate validation.  + +This is not a Greenlight issue. Greenlight is using a standard +security protocol, mTLS, to protect your data. The problem arises from +the network restrictions imposed by your institution. + +We are working on exposing the scheduler and node interfaces over +[`grpc-web`][grpc-web] which can use browser-grade certificates, and +not require a client certificate, thus avoiding these connectivity +issues. + +[grpc-web]: https://github.com/grpc/grpc-web