Question: Can @grpc/grpc-js Support TLS Certificate Validation Using Only a Certificate Hash?

41 views
Skip to first unread message

Ivaylo Garnev

unread,
Dec 10, 2024, 10:18:26 AM12/10/24
to grpc.io
Question: Can @grpc/grpc-js Support TLS Certificate Validation Using Only a Certificate Hash?

Context

In the current implementation of @grpc/grpc-js, creating a secure gRPC channel requires providing the full server certificate to credentials.createSsl(). However, in dynamic environments (e.g., distributed networks with a frequently updated address book), it is common to only have access to the hash of the server certificate (e.g., SHA-256). Validating the server during the TLS handshake using just the hash is not currently supported in the library, which creates challenges for such use cases.

Questions
  1. Is it currently possible to use only a certificate hash to validate a server during the TLS handshake in @grpc/grpc-js?
  2. If not, are there any recommended workarounds for validating a server certificate against a known hash using the existing library features?
Why This Matters

Environments with dynamic address books or self-signed certificates often only have access to certificate hashes as a trusted source of verification. Supporting hash-based validation would:

  • Simplify integration for users in these scenarios.
  • Align with the flexibility of the TLS protocol, which supports certificate signature validation.

Michael Lumish

unread,
Dec 10, 2024, 10:42:06 AM12/10/24
to Ivaylo Garnev, grpc.io
There is an alternate API credentials.createFromSecureContext(), which takes as input a SecureContext object (creation API: https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions). I am not familiar with all of the options to create one of those, but if it is possible to do what you want in Node, that is where you would do it. If not, Node itself would need to change to support that functionality.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/grpc-io/33b56a0c-e8b9-4071-b2d1-48962e378f0fn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages