Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server identity validation with secure_connect and empty ChannelCredentials #540

Open
zezic opened this issue Jun 29, 2021 · 3 comments
Open

Comments

@zezic
Copy link

zezic commented Jun 29, 2021

Is server identity validated when grpcio::ChannelBuilder::secure_connect() is used with empty credentials which are made by using just the grpcio::ChannelCredentialsBuilder::new().build() without any root certificates being explicitly provided? Does it use the system-wide certificates which are located automatically by some internal OpenSSL mechanisms?

@BusyJay
Copy link
Member

BusyJay commented Jun 29, 2021

It depends. On linux, it will load the default system root pem, otherwise it will try to use root certificates that is installed with the grpc library, for example "/usr/share/grpc/roots.pem" on MacOS. Implement details on Linux can be checked here: https://github.com/grpc/grpc/blob/master/src/core/lib/security/security_connector/load_system_roots_linux.cc#L145-L167.

@zezic
Copy link
Author

zezic commented Jun 29, 2021

Thanks for pointing! Currently I use it on CentOS Linux host and I have ca-certificates package installed. So, I can safely assume that if it connects to host and continue to work with it without any noticeable issues, then it successfully verified host's certificate, right?

@BusyJay
Copy link
Member

BusyJay commented Jun 29, 2021

If you are using secure connections and use it correctly, then the answer is probably yes. If you worry about it, you can set a wrong name for verifying, which is expected to fail if system certificates are correctly detected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants