TLS client Auth

62 views
Skip to first unread message

Eugene Strulyov

unread,
Jan 6, 2017, 6:17:59 PM1/6/17
to grpc.io

Hi all,


I am implementing a GRPC service which must authenticate the clients, so I set up TLS auth as follows:


        SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(serverPrivateKey, serverCertChain)

            .trustManager(serverTrustedCerts)

            .clientAuth(ClientAuth.REQUIRE);

        GrpcSslContexts.configure(sslContextBuilder, SslProvider.OPENSSL);


In this case serverTrustedCerts is the certificate of our CA, which means that any certificate signed by this CA is accepted. I need to make this more restrictive, such that only certain clients are accepted. So I have 2 options:


1. List every single client certificate that I want to allow.


2. Do certificate filtering on the server. All client certificates will have a certain known string in Subject DN field, so if I can get access to the certificate, I can regexp for it.


Option 2 is much preferred. How do I do this with GRPC?


thanks,


Eugene


Eugene Strulyov

unread,
Jan 7, 2017, 4:15:12 PM1/7/17
to grpc.io
Answering my own question, but I figured this out. In case anyone else finds this useful:

SSLSession sslSession = call.attributes().get(ServerCall.SSL_SESSION_KEY);

String peerName = sslSession.getPeerPrincipal().getName();

Matcher matcher = myPattern.matcher(peerName);


Eugene

Carl Mastrangelo

unread,
Jan 9, 2017, 1:15:08 PM1/9/17
to grpc.io
The CallAttributes is the correct approach, but be warned that it is experimental API, and may change in the future.
Reply all
Reply to author
Forward
0 new messages