Java client get server TLS certificate from a StreamObserver connection.
59 views
Skip to first unread message
cr2...@gmail.com
Sep 5, 2017, 4:07:36 PM9/5/17
to grpc.io
Hi
Is there a means for the client to obtain the certificate bytes from the TLS negotiation that was sent by the server ? The reason I ask, to avoid a replay security scenario the idea is for the client to hash this and send it back with requests. I honestly don't know the details of this but just trying to figure out if it can even be done. I don't think that even converting a Java Certificate or X509 Certificate back to bytes works because I don't think it would guarantee idempotance. The closest I've seen sslContext.sessionContext().getIds() use one of those ids -> sslContext.sessionContext().getSession(id) which has an SSLSession where there are methods to get Certificates but as noted I don't think that's adequate.
Is there a means for the client to obtain the certificate bytes from the TLS negotiation that was sent by the server ? The reason I ask, to avoid a replay security scenario the idea is for the client to hash this and send it back with requests. I honestly don't know the details of this but just trying to figure out if it can even be done. I don't think that even converting a Java Certificate or X509 Certificate back to bytes works because I don't think it would guarantee idempotance. The closest I've seen sslContext.sessionContext().getIds() use one of those ids -> sslContext.sessionContext().getSession(id) which has an SSLSession where there are methods to get Certificates but as noted I don't think that's adequate.
Eric Anderson
Sep 5, 2017, 8:34:12 PM9/5/17
to cr2...@gmail.com, grpc.io
On Tue, Sep 5, 2017 at 1:07 PM, <cr2...@gmail.com> wrote:
Is there a means for the client to obtain the certificate bytes from the TLS negotiation that was sent by the server ? The reason I ask, to avoid a replay security scenario the idea is for the client to hash this and send it back with requests.
That's pretty strange. Normally the only reason to be worried about replay attacks is if the connection is not authenticated; is the server not using a "real" certificate? Even still, "binding" data to a connection with client certificates or Channel ID[1] seems much saner (yes, those are based on the client, not the server).
I'm also not quite sure how the certificate bytes actually helps anything since that's public and every client would have it. I assume you're doing a trick there as well.
I honestly don't know the details of this but just trying to figure out if it can even be done. I don't think that even converting a Java Certificate or X509 Certificate back to bytes works because I don't think it would guarantee idempotance. The closest I've seen sslContext.sessionContext().getIds() use one of those ids -> sslContext.sessionContext().getSession(id) which has an SSLSession where there are methods to get Certificates but as noted I don't think that's adequate.
grpc-java don't provide any information about the connection an RPC is on until the response headers are received. clientCall.getAttributes(Grpc.TRANSPORT_ATTR_SSL_SESSION) can get the SslSession, but I don't have any other ideas for you.
1. Not that grpc-java supports Channel ID
Reply all
Reply to author
Forward
0 new messages