Orderflow encryption and attestation
This page outlines how orderflow is end-to-end encrypted in BuilderNet.
Key ports
Every builder node exposes these key ports used for orderflow communication:
| Port | Use | Encryption |
|---|---|---|
| 443 | Receive orderflow from operator, users, wallets | Locally generated TLS certificate |
| 5544 | Receive orderflow from BuilderNet nodes and Flashbots | Locally generated TLS certificate |
| 7936 | Serving the locally generated TLS certificate | Attested TLS (aTLS) |
Find the complete list of ports here.
Orderflow encryption
Orderflow sent to a builder node is end-to-end encrypted using HTTPS/TLS. Once inside BuilderNet, orderflow is only accessible to services running inside BuilderNet nodes.
Each builder node creates a local TLS certificate on startup, and uses this certificate for receiving orderflow on ports 443 and 5544. The private key for this certificate provably resides only inside the TEE instance.
Client requests require the server to own the private key for this particular TLS certificate.
TEE attestation of the certificate
TEE attestation allows you to verify that a given TLS certificate belongs to a particular VM image (with specific codebase and configuration). On every builder node, an API on port 7936 serves the local certificate over an aTLS attested channel.
Read more about aTLS in the Constellation documentation.
As part of the aTLS handshake, the client (i.e. user) can verify that the server runs inside a TEE instance with specific measurements (i.e. specific codebase and configuration).
You can use this tool to get the certificate with TEE attestation:
go run cmd/get-measurements/main.go \
--addr=https://instance_ip:7936/cert \
--out-measurements=measurements.json \
--out-response=builder-cert.pem
You can now check that the verified TEE measurements match expected measurements from https://measurements.builder.flashbots.net. This will also allow you to look up instructions for verifying the measurements through reproducible builds.
If you just want the certificate, you can request it without attestation using curl like this:
curl --insecure https://instance_ip:7936/cert