New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
empty root CA certificate causes C++ server to incorrectly accept clients #12146
Comments
|
for convenience, here's the relevant code in the server
and the client
|
the python server is behaving correctly when given the empty ca certificate: it rejects the client. server:
client:
server code
client code
|
@deepaklukose would you mind having a look at the issue? Thanks! |
@jboeuf https://github.com/grpc/grpc/blob/master/src/core/tsi/ssl_transport_security.h#L144 does indeed claim that the pem_client_root_certs needs to be non-null for the server to validate the client certs. Let me update the code to get rid of this since rejecting the client seems like the safer option. |
Thanks much Deepak!
…On Thu, Aug 10, 2017 at 10:21 PM, deepaklukose ***@***.***> wrote:
@jboeuf <https://github.com/jboeuf> https://github.com/grpc/grpc/
blob/master/src/core/tsi/ssl_transport_security.h#L144 does indeed claim
that the pem_client_root_certs needs to be non-null for the server to
validate the client certs. Let me update the code to get rid of this since
rejecting the client seems like the safer option.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12146 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AF-P7Znx9AnmI5JaG0RFyOm__mn7vnnBks5sW-TTgaJpZM4Ozw3g>
.
|
That'd be great! Thanks, Deepak!
(sent from phone)
On Aug 10, 2017 10:24 PM, "jboeuf" <notifications@github.com> wrote:
Thanks much Deepak!
On Thu, Aug 10, 2017 at 10:21 PM, deepaklukose ***@***.***> wrote:
@jboeuf <https://github.com/jboeuf> https://github.com/grpc/grpc/
blob/master/src/core/tsi/ssl_transport_security.h#L144 does indeed claim
that the pem_client_root_certs needs to be non-null for the server to
validate the client certs. Let me update the code to get rid of this since
rejecting the client seems like the safer option.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12146 (comment)>, or
mute
the thread
<https://github.com/notifications/unsubscribe-
auth/AF-P7Znx9AnmI5JaG0RFyOm__mn7vnnBks5sW-TTgaJpZM4Ozw3g>
.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#12146 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABHdpKgnC_38OfavEdWU2B20UZlhhgVOks5sW-WEgaJpZM4Ozw3g>
.
|
What is the status of this issue? is this closed? if so, Can please share the commit ID in which the issue is fixed? We are also facing similar issue in python when used grpc.dynamic_ssl_server_credentials() function to update the server credentials dynamically for hitless certificate rotation. The scenario is,
grpc.dynamic_ssl_server_credentials() api notes says that |
The fix has not been committed. The proposed fix (#12193) needs a lot more work to rebase for which I unfortunately don't have the time right now. |
@kboyapa1 so i assume you want the server to reject all new clients after you delete the roots.pem? while i understand that technically, that is the behavior promised by the |
@cauthu Your understanding is correct. I am expecting server should reject all new client connections when roots.pem is deleted. We are looking for hitless server certificate rotation. The existing client connections should not interrupted due to new certificates installation. All the new client connections should use new certificates to connect to the server. using grpc.dynamic_ssl_server_credentials() api, Scenario-1: (Working)
Scenario-2 (Not Working):
Scenario-3 (Not Working):
|
@cauthu This should be fixed. Let me know if problem still exists. Thanks for patience. |
Ah cool, thanks Jiangtao.
…On Fri, Dec 14, 2018, 8:37 AM Jiangtao Li ***@***.*** wrote:
@cauthu <https://github.com/cauthu> This should be fixed. Let me know if
problem still exists. Thanks for patience.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12146 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABHdpPOqH0UipDwvfSkbSec18_rQwcj_ks5u49PlgaJpZM4Ozw3g>
.
|
hi,
i think there's a bug somewhere that is causing the c++ server to interpret an empty
pem_root_certs
to mean "don't verify clients" even though it's told toGRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
.here are the three scenarios: the server uses the wrong root cert, the right root cert, and an empty root cert. the client does the same thing in all cases.
(i will attach the example and an optional patch for some logging)
when server uses an unrelated ca cert...
expected outcome: server rejects client
actual outcome: correct
server:
client:
when server uses the correct ca cert...
expected outcome: server accepts client, and client prints hello world
actual outcome: correct
server:
client:
when server uses an EMPTY ca cert...
expected outcome: server rejects client
actual outcome: INCORRECT: client is accepted and prints hello world
server:
client:
What version of gRPC and what language are you using?
latest master at
What operating system (Linux, Windows, …) and version?
linux, ubuntu 16.04
What runtime / compiler are you using (e.g. python version or version of gcc)
The text was updated successfully, but these errors were encountered: