Feasibility to pass Client Certificates through JsonRpcProvider and WebSocketProvider

[saiakhil2012]

Ethers Version

v5.7.2

Search Terms

mutual TLS, client certificates, jsonrpc, websocket

Describe the Problem

I am analyzing to see, if it is feasible to perform mutual TLS with Blockchain Nodes from DApps. From my analysis, for mTLS, it is possible to pass client certificates in JSON RPC Providers and WebSocket Providers in other Ethereum Libraries such as Web3j, Web3.js, etc. For example,

• Passing Client Certificates in HTTP Service in Web3j

  • Its feasible to pass a new HttpService() when creating a new web3 object - https://docs.web3j.io/4.8.7/getting_started/interacting_with_node/
  • Its possible to pass httpClient of type OkHttpClient - https://github.com/web3j/web3j/blob/master/core/src/main/java/org/web3j/protocol/http/HttpService.java#L102
  • And its feasible to set certificates in OkHttpClient as part of its tls package - https://square.github.io/okhttp/4.x/okhttp-tls/okhttp3.tls/

• Passing Client Certificates for WebSockets in Web3j

  • TLS over WebSockets - https://docs.web3j.io/4.8.7/advanced/tls_websockets/
  • There is an option to create a keystore and then to create sslContext with keystore and then to create websocket client with sslContext then websocket service can be created using websocket client

Similarly in slightly different form and way, Web3.js also has ways to pass client certificates for JSON RPC based Provider and WebSocket provider

From my analysis, it is currently not feasible to pass client certificates in Ethers.js for JSON RPC Provider and WebSocket Provider. Can you please confirm that it is not feasible to pass client certificates in ethers.js currently? If it is feasible, can you please let me know, how to do the same. If it is not feasible yet, is there is a rough timeline on when it would be feasible to do the same in Ethers.js?

Thanks in advance

Code Snippet

No response

Contract ABI

No response

Errors

No response

Environment

No response

Environment (Other)

No response

[ricmoo]

This isn't anything that will be supported in v5, as I'm trying to avoid any new API changes.

In v6, you can replace the web fetching APIs with custom ones, using FetchRequest.registerGetUrl. If it is functionality that can be passed along, it may make sense in the future to add properties on the FetchRequest object to facilitate it, assuming the additional code required is not prohibitive.

But for example, this is something that cannot be done in a web browser (for security reasons), so it would only affect those using node. It's just something to keep in mind.

I'm going to move this to the Ideas Discussion.

[saiakhil2012]

Apologies for a delayed response. Thanks for your response. Yes, the additional required code for this would not be prohibitive. Yes, sure, for non web browser based scenarios itself i.e. not for the Web3Provider. This option can be exposed for the JsonRpcProvider. This option/feature of passing client certificates works in both web3.js and web3j.

Following is an example of how it is possible to pass client certificates while using web3.js,

    const Web3 = require('web3');

    var mTlsOptions = {
        agent: {
            https: https.Agent({
                ca: [fs.readFileSync("root-ca.crt")],
                key: fs.readFileSync("client.key"),
                cert: fs.readFileSync("client.crt")
            })
        }
    }

   const web3 = new Web3(new Web3.providers.HttpProvider(rpcURL, mTlsOptions));

It is just about passing the extra ca cert, client key and client cert files.

[ghost]

For anyone looking for proxy connections, I have posted the example code which works with V6 #4336