code pattern #5065
Comments
|
Could you provide a reference to the specific lines of code where you think the use of math/rand is inappropriate? For cryptographic randomness, certainly it should be avoided. For code that is simply shuffling a set of values, such as orderers to invoke, I don't see any obvious reason why math/rand cannot be used. I see many points in the code where a TLS MinVersion is specified. Please could you point to the specific code where you see it missing? |
|
Actually I'm suggesting to use crypto/rand because math/rand has weak entropy. and math/rand is not designed for cryptographic purpose. And about missing Minversion TLs configuration cmd/osnadmin/main_test.go line 81 And also grpc-server-insecure-connection Where gRPC server is without gRPC.creds() |
|
orderer/common/server/main.go found an http server without tls. Code line 325. In mine view point there should http.ListenandServeTLS |
|
I don't think we are concerned about the test artifacts. In production environments the peer and orderer services are secured with TLS and the docs and samples are pretty clear about this already. The example at orderer/common/server/main.go line 325 is for pprof Go profiling. This is disabled by default and only enabled in test environments when profiling test workload performance. Can you highlight any examples that would impact a production peer or orderer with TLS enabled? |
MinVersionis missing from this TLS configuration.math-random-used- Do not use
math/rand. Usecrypto/randinstead.The text was updated successfully, but these errors were encountered: