[GH-ISSUE #2687] [Question] TLS support

gitea-mirror commented

2026-05-05 13:22:44 -06:00

Owner

Originally created by @hons82 on GitHub (Dec 3, 2021).
Original GitHub issue: https://github.com/fatedier/frp/issues/2687

Describe the feature request

I'm currently using the use_encryption feature, but I'd like to use TLS. What I'd like to have is a self signed certificate on the client and potentially on the server as well.

Do I need then a certificate authority?
Does it need to be the same CA on the server and on all the clients?

Describe alternatives you've considered

Remain on use_encryption

Affected area

Docs
Installation
Performance and Scalability
Security
User Experience
Test and Release
Developer Infrastructure
Client Plugin
Server Plugin
Extensions
Others

Originally created by @hons82 on GitHub (Dec 3, 2021). Original GitHub issue: https://github.com/fatedier/frp/issues/2687 ### Describe the feature request I'm currently using the `use_encryption` feature, but I'd like to use TLS. What I'd like to have is a self signed certificate on the client and potentially on the server as well. Do I need then a certificate authority? Does it need to be the same CA on the server and on all the clients? ### Describe alternatives you've considered Remain on `use_encryption` ### Affected area - [X] Docs - [ ] Installation - [ ] Performance and Scalability - [X] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror closed this issue

2026-05-05 13:22:45 -06:00

gitea-mirror commented

2026-05-05 13:22:48 -06:00

Author

Owner

@fatedier commented on GitHub (Dec 3, 2021):

Docs here may help you https://github.com/fatedier/frp#tls

@fatedier commented on GitHub (Dec 3, 2021): Docs here may help you https://github.com/fatedier/frp#tls

gitea-mirror commented

2026-05-05 13:22:48 -06:00

Author

Owner

@hons82 commented on GitHub (Dec 3, 2021):

Sure, but there it just says certificate.key, certificate.crt and ca.crt on both server and client, but do they need to be the same on both sides?
Would it be possible to run a self signed without ca?

@hons82 commented on GitHub (Dec 3, 2021): Sure, but there it just says certificate.key, certificate.crt and ca.crt on both server and client, but do they need to be the same on both sides? Would it be possible to run a self signed without ca?

gitea-mirror commented

2026-05-05 13:22:49 -06:00

Author

Owner

@fatedier commented on GitHub (Dec 6, 2021):

Can you just try what's you want?

@fatedier commented on GitHub (Dec 6, 2021): Can you just try what's you want?

gitea-mirror commented

2026-05-05 13:22:50 -06:00

Author

Owner

@hons82 commented on GitHub (Dec 6, 2021):

That seems to work well. I did use the following to create the certificates

$ openssl req -x509 -nodes -newkey rsa:2048 -sha256 -keyout client.key -out client.crt
$ openssl req -x509 -nodes -newkey rsa:2048 -sha256 -keyout server.key -out server.crt

and used them on the server/client respectively.

tls_enable = true
tls_cert_file = ./client.crt
tls_key_file = ./client.key

Without CA.

@hons82 commented on GitHub (Dec 6, 2021): That seems to work well. I did use the following to create the certificates ``` $ openssl req -x509 -nodes -newkey rsa:2048 -sha256 -keyout client.key -out client.crt $ openssl req -x509 -nodes -newkey rsa:2048 -sha256 -keyout server.key -out server.crt ``` and used them on the server/client respectively. ``` tls_enable = true tls_cert_file = ./client.crt tls_key_file = ./client.key ``` Without CA.