Does the HTTP JSON API support TLS?

I couldn’t find anything in the docs or the command help. Question applies to both, the connection to the Ledger API and towards clients.


As you mentioned there are two parts to this question so I’ll answer them separately:

  1. The connection from the JSON API to the Ledger
    In SDK 1.0, TLS is not supported for this connection. However, we have fixed this in the meantime (see allow secure connection from JSON API to ledger by S11001001 · Pull Request #5555 · digital-asset/daml · GitHub if you are interested in the actual change). This is included in the latest snapshot release 1.1.0-snapshot.20200422.3991.0.6391ee9f and should end up in the 1.1.0 release. You can take a look at the documentation for this snapshot or daml json-api --help to find information on the CLI options to enable TLS (--pem, --crt, --cacrt and --tls are the relevant ones).

  2. The connection between the JSON API and clients
    This connection does not support TLS directly and there are no plans to change that. The recommended setup here is to put the JSON API behind a reverse proxy (e.g. NGINX) which provides a TLS connection. Future versions of the JSON API will require a reverse proxy by default to avoid accidentally sending the JWT tokens over an insecure connection. There will be a flag to disable this for local development. The work on this change is not yet finalized but you can find the current state at require https reverse proxy by S11001001 · Pull Request #5660 · digital-asset/daml · GitHub.