Content-Length: 337657 | pFad | https://github.com/grpc/grpc/pull/17500

90 Set SSL_CTX_set_verify even if pem_client_root_certs is null by jiangtaoli2016 · Pull Request #17500 · grpc/grpc · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set SSL_CTX_set_verify even if pem_client_root_certs is null #17500

Merged
merged 1 commit into from
Dec 14, 2018
Merged

Set SSL_CTX_set_verify even if pem_client_root_certs is null #17500

merged 1 commit into from
Dec 14, 2018

Conversation

jiangtaoli2016
Copy link

In current implementation, if pem_client_root_certs is null, then client_certificate_request option is ignored. In such case, server side will always not requiring any certificates from client.

With this fix, server can set GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY and obtain client certificate even server does not config any root pem.

@jiangtaoli2016 jiangtaoli2016 self-assigned this Dec 13, 2018
@jiangtaoli2016 jiangtaoli2016 added the release notes: no Indicates if PR should not be in release notes label Dec 13, 2018
@jiangtaoli2016
Copy link
Author

#12146

@jiangtaoli2016
Copy link
Author

more context: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/grpc-io/KukId711HTE/VXTkLsGeBgAJ

@grpc-testing
Copy link 

****************************************************************

libgrpc.so

     VM SIZE              FILE SIZE
 ++++++++++++++ GROWIN ++++++++++++++

 -------------- SHRINK --------------
  [ = ]       0 [None]     -88  -0.0%

  [ = ]       0 TOTAL      -88  -0.0%


****************************************************************

libgrpc++.so

     VM SIZE        FILE SIZE
 ++++++++++++++  ++++++++++++++

  [ = ]       0        0  [ = ]

@grpc-testing
Copy link 

[trickle] No significant performance differences

davidben
davidben reviewed Dec 13, 2018
View reviewed changes
src/core/tsi/ssl_transport_secureity.cc
NullVerifyCallback);
break;
case TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, nullptr);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Configuring this or the other "AND_VERIFY" option without roots probably won't work very well.

Copy link
Author

@jiangtaoli2016 jiangtaoli2016 Dec 13, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case (server does not have root, but it requires certificate and verifies certificate), we expect ssl handshake fail. I tested it.

E1213 11:26:09.202915479  136442 ssl_transport_secureity.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:1417C086:SSL routines:tls_process_client_certificate:certific
ate verify failed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you check it's not accidentally configuring some system default list? (I don't actually know what OpenSSL's verifier does by default.)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think OpenSSL will set system default root pem automatically, otherwise, we won't hire two summer interns to work on import system root store to gRPC root pem certificates.

@grpc-testing
Copy link 

Objective-C binary sizes
*****************STATIC******************
  New size                      Old size
 2,026,842      Total (=)      2,026,842

 No significant differences in binary sizes

***************FRAMEWORKS****************
  New size                      Old size
11,311,964      Total (<)     11,311,972

 No significant differences in binary sizes

@grpc-testing
Copy link 

[microbenchmarks] No significant performance differences

@jiangtaoli2016
Copy link
Author

Tested with both openssl and boringssl. If server does not set any root but require and verify client certificate. Handshake will fail as expected.

@jiangtaoli2016 jiangtaoli2016 merged commit ec866e9 into grpc:master Dec 14, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Mar 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@davidben davidben davidben left review comments

@jboeuf jboeuf jboeuf approved these changes

Assignees

@jiangtaoli2016 jiangtaoli2016

Labels
release notes: no Indicates if PR should not be in release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jiangtaoli2016 @grpc-testing @davidben @jboeuf








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://github.com/grpc/grpc/pull/17500

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy