This entry is part 1 of 5 in the series bitcoin

bitcoin

Can bitcoind accept https requests?

Bitcoind offers an RPC-JSON server – that can accept http requests.  It USED to be able to accept https requests using a simple switch in bitcoin.conf (see Appendix A below). However, this was droppped in 2015.
To do an encrypted tunnel to bitcoind, one needs to use SSH.
Before we do that, WHY do we need to do an encrypted tunnel to bitcoind?
If you want to connect to the JSON RPC server remotely, you will need to authenticate yourself.
This authentication happens over plain HTTP – and is basic HTTP authentication.

The JSON-RPC server requires basic HTTP authentication. For example, to send a request using curl:

curl --user av:mypassword \
--data-binary '{"jsonrpc":"1.0","id":"curltext","method":"listunspent","params":[]}' \
-H 'content-type:text/plain;' http://192.168.blah.blah:18443/ \

Authentication (Basic HTTP) Data is basically Plaintext

Authentication data (user name and password) is sent as base 64 encoded plaintext (which can be decoded online)

To avoid this plaintext send, our only option is to use SSH between the client machine and the bitcoind server.

Computer to Computer SSH

If the VM hosting yourbitcoind software has a way to SSH to the client sending the HTTP request.

  • Set up SSH local port forwarding on the client machine  – i.e. the computer that will send HTTP requests to the RPC server

ssh -v -fNL 5555:192.168.client.IP:18443 remote_user@192.168.client.IP

  • To use the tunnel, send traffic to localhost – i.e. 127.0.0.1:5555 host:port
Appendix A – PRE 2015 – How do you switch from http to https on bitcoind?  PRE-2015 – This functionality is no longer available
bitcoind offers an RPC-JSON server – that can accept http requests. To switch it to https,

Step 1 – Add rpcssl = 1 to the- bitcoin.conf config file:

rpcuser     = myUsername
rpcpassword = myPassword
rpcallowip  = ipAddressWhitelisteddHost
rpcssl      = 1

2. Generate a Self Signed Cert.. Navigate to your data directory .bitcoin and generate a self-signed certificate. Do not enter a password when it prompts you for one.
openssl genrsa -out server.pem 2048
openssl req -new -x509 -nodes -sha1 -days 3650 -key server.pem > server.cert

Restart bitcoind and test the SSL functionality.

You should see the certificate details. Pressing enter twice will return  – HTTP/1.0 401 Authorization Required.

openssl s_client -connect localhost:8332

bitcoind will now accept RPC-JSON commands through through HTTPS.

Appendix B

Python code for setting up the SSH tunnel

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin

Series NavigationSSL vs. TLS on Bitcoin Exchanges