Comments (7)
iamqizhao
commented on May 22, 2024
On Sat, Mar 7, 2015 at 12:02 AM, prazzt [email protected] wrote:
My first impression was "TLS client certificate authentication", i.e.
distinguish each clients by certificate that they sent. But from cursory
look, turns out it's actually certificate pinning.. making sure client
talks with pinned server CA.Am I right, or does grpc actually supports client certificate
authentication ?Currently, we do not support client certificate authentication
(i.e., NoClientCert is used). But it is not hard to add if it is needed.
The name basically means creating a TLS grpc credential for client from a
cert (ca).β
Reply to this email directly or view it on GitHub
#107.
from grpc-go.
iamqizhao
commented on May 22, 2024
how about NewClientTLSFromCA?
from grpc-go.
commented on May 22, 2024
So this is basically certificate pinning right ?
How is the expected usage here ? does clientCert == serverCert ?
from grpc-go.
iamqizhao
commented on May 22, 2024
I do not think we do extra work besides the normal TLS handshake.
This is more like a browser->web service type of usage -- clients do not have their own certs but root CA.
from grpc-go.
commented on May 22, 2024
I see another issue got confused also by TLS client certificate ..
I propose the following signatures:
// NewClient constructs secure connection for client with optional rootCA
func NewClient(server string, rootCA *x509.CertPool) TransportAuthenticator {}
// NewClientFile constructs secure connection by loading rootCA from local file
func NewClientFile(server, rootCAFile string) TransportAuthenticator {}
// NewServer constructs a new server
func NewServer(cert *tls.Certificate) TransportAuthenticator {}
// NewServerFile constructs a new server by loading cert and key from local file
func NewServerFile(certFile, keyFile string) (TransportAuthenticator, error) {}
This way it's shorter (we know it's always TLS anyway), and people don't confuse for "TLS client authentication"
from grpc-go.
iamqizhao
commented on May 22, 2024
Nah, it is not TLS always. We will support SSH too. And we are working on some Google internal transport security protocol too. Therefore, you need to have TLS in the names. In addition, I prefer "XXXFromFile" to "XXXFile". Plus, it is not necessary a local file (e.g., it could be at NFS.).
from grpc-go.
commented on May 22, 2024
I see. Hope it doesn't get too bloated in the future. Closing this.
from grpc-go.
Related Issues (20)
- error: "../internal/tcp_keepalive_unix.go:27:2: cannot find package" when build examples/helloworld/greeter_server/main.go HOT 3
- Convert remaining uses of gracefulswitch to use `gracefulswitch.ParseConfig` and not `SwitchTo` HOT 2
- Update docs and examples and tests to use `NewClient` instead of `Dial` HOT 14
- How can the client automate the handling of the GOAWAY signal? HOT 5
- protoc-gen-go-grpc: empty const block causing `gofmt` failure
- failed to listen: listen tcp :50051: bind: address already in use exit status 1 HOT 3
- Add support for using zap.Object HOT 2
- protoc-gen-go-grpc: support proto edition HOT 3
- The API Gateway vision HOT 4
- Issue creating a ENUM with "name" field HOT 2
- metadata validation disallows UTF-8/ISO-8859-1 characters in headers HOT 6
- Possible regression when using NewClient instead of Dial HOT 1
- Is dynamic routing currently supported in grpc-go or how can i achieve itοΌ HOT 7
- Is it possible to split service implementaion? HOT 3
- Deprecation of `DialContext` and `Dial` is not mentioned in 1.63.0 release notes HOT 3
- bufnet not supported by NewClient() ? HOT 5
- Please release upgrade /cmd/protoc-gen-go-grpc /go.mod to security fixed protobuf v1.33.0 HOT 2
- Confusing for NewClient in 1.63 HOT 4
- Deprecate WithBlock and WithReturnConnectionError HOT 3
- gRPC casing looks really ugly [Serious] HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grpc-go.