TLS client authentication support #14
Comments
|
@andrm yes having a simple test case would be great. |
|
Please see https://github.com/andrm/grpcclientcertcase |
|
Any hints? Is the testcase ok? |
|
that's something we haven't yet had time to investigate (we've been very busy closing 3.5.0) |
|
could you port your test case to the vertx-grpc codebase to help us ? |
|
I will try to. (Thanks for your effort with 3.5.0) |
|
Please see my pull request for the testcase: |
|
the corresponding issue in gRPC has been solved : grpc/grpc-java#3682 (so we need a release) this is necessary to fix this current issue |
|
This is good news! Does grpc plan any release soon? |
|
"this will be in the 1.8 release scheduled for November 21st." |
|
that being said, we are also waiting for other fixes from netty that is not yet released, so I don't know yet how we will handle all these fixes... |
|
grpc-java 1.8 was released, now waiting for netty. |
|
thing is that the netty version we are waiting for, is not yet used by gRPC, so it means we need to wait for another gRPC release somehow |
|
or we force the Netty dependency if that's acceptable |
|
that being said, the fix could be tried in a branch of this repo with a force upgrade of Netty |
|
I'm fine with forcing the netty dependency. |
|
So the current plan is wait for grpc 1.9.0? |
|
Netty 4.1.18.Final has been released today, we need to check when gRPC will use this version or try to override it |
|
@ejona86 any plan of the next grpc release that would include Netty-4.1.18.Final ? |
|
I don't see a change for grpc-java in 1.10.0 for a new netty version. Anything I can do? |
|
we need to integrate grpc 1.9.0 and force dependency on Netty 4.1.19.Final, both are compatible (even if grpc 1.9.0 depends on 1.17.Final) |
|
@andrm I've just bumped both the gRPC compiler and gRPC lib to 1.9.0 can you give it a try and see if it's fixed? |
|
My testcase works with 3.5.1-SNAPSHOT and alpn-boot-8.1.11.v20170118.jar |
|
thanks for reporting |
Version 3.4.2. Tried openssl(tc-nativ-boring-static) and jdk(1.8_144). SSL works, ClientCert required does not seem to be advertised.
VertxServer server = VertxServerBuilder. forPort(vertx, 8080) //.useTransportSecurity(new File("certs/TestServer.chain"), // new File("certs/TestServerKey.pem")).useSSL(tcpsslOptions -> {
JksOptions trustOptions = new JksOptions()
.setPath("certs/truststore.jks")
.setPassword("testpw");
//PemTrustOptions trustOptions = new PemTrustOptions()
// .addCertPath("certs/TestCA.crt");
//PfxOptions trustOptions = new PfxOptions()
// .setPath("certs/testclient.p12")
// .setPassword("testpw");
HttpServerOptions options = (HttpServerOptions)tcpsslOptions;
options.setSsl(true)
.setUseAlpn(true)
.setClientAuth(ClientAuth.REQUIRED)
.setClientAuthRequired(true)
.setSni(true)
.setTrustStoreOptions(trustOptions)
.setTrustOptions(trustOptions)
.setKeyStoreOptions(new JksOptions()
.setPath("certs/server-keystore.jks")
.setPassword("testpw"))
//.setOpenSslEngineOptions(new OpenSSLEngineOptions().setSessionCacheEnabled(false))
}).addService(sd).build();`
openssl and jdk complain both that the "peer is not verified" or "peer is not authenticated".
I think netty and grpc stuff would work, it is probably a vertx issue. Can you please check?
If you need a complete testcase let me know.
The text was updated successfully, but these errors were encountered: