Extracting CN from TLS peer cert in gRPC server

591 views

Skip to first unread message

ensan

unread,

Sep 7, 2018, 6:43:01 AM9/7/18

to grpc.io

Hi - Great job on grpc. I have a quick question - I'm trying to obtain the CN (common name) field from the peer's TLS certificate within a (server-side) gRPC stub unsuccessfully.

I've implemented a c++ grpc based TLS server and can successfully connect a client over TLS however I'd like to capture client specific details (that I write into the client's certificate) when a client's call arrives on the server side for tracking and key-ing data against. I see the first argument in a grpc server-side call is the ServerContext so I've tried to locate the common name as follows:

(ServerContext)->auth_context()->FindPropertyValues(GRPC_X509_CN_PROPERTY_NAME) - empty
(ServerContext)->auth_context()->GetPeerIdentity() - empty
It's also not in the (ServerContext)->client_metadata()

I can obtain the value from openssl i.e. the CN field is set in the client's cert:

openssl x509 --noout -subject -in client_cert.pem.

How do I get the common name (and other client TLS fields) from the server-side rpc call (c++).

Many thanks in advance!

Nicolas Noble

unread,

Sep 7, 2018, 1:35:59 PM9/7/18

to bensan...@googlemail.com, grpc.io

You need to toggle requesting the certificate from the client for the property to appear.

Basically, if you look at this constructor: https://github.com/grpc/grpc/blob/master/include/grpcpp/security/server_credentials.h#L57

You'll notice the default is "GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE". You need this to be at least "GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY" in order to get the server request the client's certificate, and thus getting its properties filled up in the auth context.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/5083468c-8cd5-478b-ad1c-8bbd41417549%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages