Skip to content

Commit 4bf0bb9

Browse files
cdeckercdecker
committed
docs: Add a FAQ on DPI breaking the encryption
1 parent 17c71aa commit 4bf0bb9

File tree

1 file changed

+41
-0
lines changed

1 file changed

+41
-0
lines changed

docs/src/about/faq.md

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,3 +26,44 @@ request the signer:
2626
All of this ensures that only ever the latest state gets signed, and
2727
that this signed state doesn't get revoked, making a cheat attempt
2828
impossible.
29+
30+
## Connectivity
31+
32+
### Why can't I connect to the service from my school/work network?
33+
34+
For its authentication and authorization Greenlight uses mTLS (mutual
35+
transport layer security), an extension on the usual TLS used for
36+
secure communication in browsers. Unlike normal websites however,
37+
Greenlight requires two things:
38+
39+
- The server must reply with a server certificate signed by the Greenlight CA.
40+
- The client must use a client certificate signed by the Greenlight CA.
41+
42+
When you try to access a service that uses mTLS (Mutual Transport
43+
Layer Security) with self-signed certificates, you might encounter
44+
connectivity issues, especially on networks with Deep Packet
45+
Inspection (DPI).
46+
47+
DPI is a network security technique used to inspect network traffic to
48+
identify potential threats. Some DPI systems can interfere with
49+
encrypted connections, particularly those using self-signed
50+
certificates. These systems often rely on trusted Certificate
51+
Authorities (CAs) to validate certificates. Since self-signed
52+
certificates are not issued by a trusted CA, they may be flagged as
53+
suspicious and blocked.
54+
55+
The root cause of the issue lies in the network configuration and
56+
security policies of your school or workplace network. They may have
57+
strict security measures in place that restrict traffic based on
58+
certificate validation. 
59+
60+
This is not a Greenlight issue. Greenlight is using a standard
61+
security protocol, mTLS, to protect your data. The problem arises from
62+
the network restrictions imposed by your institution.
63+
64+
We are working on exposing the scheduler and node interfaces over
65+
[`grpc-web`][grpc-web] which can use browser-grade certificates, and
66+
not require a client certificate, thus avoiding these connectivity
67+
issues.
68+
69+
[grpc-web]: https://github.com/grpc/grpc-web

0 commit comments

Comments
 (0)