Comments (7)
On Sat, Mar 7, 2015 at 12:02 AM, prazzt [email protected] wrote:
My first impression was "TLS client certificate authentication", i.e.
distinguish each clients by certificate that they sent. But from cursory
look, turns out it's actually certificate pinning.. making sure client
talks with pinned server CA.Am I right, or does grpc actually supports client certificate
authentication ?Currently, we do not support client certificate authentication
(i.e., NoClientCert is used). But it is not hard to add if it is needed.
The name basically means creating a TLS grpc credential for client from a
cert (ca).—
Reply to this email directly or view it on GitHub
#107.
from grpc-go.
how about NewClientTLSFromCA?
from grpc-go.
So this is basically certificate pinning right ?
How is the expected usage here ? does clientCert == serverCert ?
from grpc-go.
I do not think we do extra work besides the normal TLS handshake.
This is more like a browser->web service type of usage -- clients do not have their own certs but root CA.
from grpc-go.
I see another issue got confused also by TLS client certificate ..
I propose the following signatures:
// NewClient constructs secure connection for client with optional rootCA
func NewClient(server string, rootCA *x509.CertPool) TransportAuthenticator {}
// NewClientFile constructs secure connection by loading rootCA from local file
func NewClientFile(server, rootCAFile string) TransportAuthenticator {}
// NewServer constructs a new server
func NewServer(cert *tls.Certificate) TransportAuthenticator {}
// NewServerFile constructs a new server by loading cert and key from local file
func NewServerFile(certFile, keyFile string) (TransportAuthenticator, error) {}
This way it's shorter (we know it's always TLS anyway), and people don't confuse for "TLS client authentication"
from grpc-go.
Nah, it is not TLS always. We will support SSH too. And we are working on some Google internal transport security protocol too. Therefore, you need to have TLS in the names. In addition, I prefer "XXXFromFile" to "XXXFile". Plus, it is not necessary a local file (e.g., it could be at NFS.).
from grpc-go.
I see. Hope it doesn't get too bloated in the future. Closing this.
from grpc-go.
Related Issues (20)
- License File seems to be missing the name of copyright owner HOT 2
- Why is the service config passed as a JSON-String just to get converterted to a struct anyway? HOT 7
- Cardinality violations should use error code “unimplemented” HOT 2
- GitHub Action: branch protection checks are skipped, and also not blocking merges HOT 3
- grpc.NewClient with namedpipe on Windows throws resolverError HOT 2
- User agent becomes grpc-go/1.64. on server side of grpc gateway HOT 2
- xds: move functionality from `xds/internal` to `internal/xds`
- stubserver: add support to optionally pass in a `grpc.Server` or `xds.GRPCServer` HOT 2
- Github Action: Codecov action is broken and is failing silently HOT 1
- Upgrade to using math/rand/v2 to get perf enhancements HOT 2
- xds: tests shouldn't rely on the presence of an entry in the `authorities` field of the bootstrap configuration with an empty key
- Experimental API related to metadata HOT 4
- Linter rule for using context.Background() without a timeout in tests HOT 2
- gRPC is incompatible with tls.Listener HOT 2
- Closing connection takes up to 15 minutes. HOT 4
- Feature Request: expose handleRawConn or add ServeConn HOT 19
- Flaky test: TimerAndWatchStateOnErrorCallback
- xds: bootstrap config is not emitted to logs in a human readable way
- Strongly-type request inside a Stream Server Interceptor
- Proxy connection buffer necessary?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grpc-go.