[GO] [SSL] Allow only TRUSTED clients
68 views
Skip to first unread message
Ismael Farfan
Oct 19, 2018, 9:10:29 AM10/19/18
to grpc.io
Hello everyone
I'm a little bit in a loss on how to do this, I want to do what this guy does in this post using RequireAndVerifyClientCert, but with gRPC:
"Getting the Server to Trust the Client"
https://ericchiang.github.io/post/go-tls/
I already have CA root and key (pem) files in the server.
Potential users can create Certificate Sign Requests with "openssl req -new...."
I can sign / approve / provide temporary CSR with "openssl x509 -req...."
I can check that certs are valid and haven't _expired_ with "openssl verify...."
So the question is:
How can I make it so that only clients connecting with a certificate signed with the root CA can call [some] functions?
If it's to much o a pain to restrict only some functions, restricting the whole gRPC server also works for me.
The authentication overview guide says it's possible to extend or customize authentication methods, but it seems like such means (MetadataCredentialsPlugin) aren't available in golang yet.
https://grpc.io/docs/guides/auth.html
Any ideas?
-Ismael
I'm a little bit in a loss on how to do this, I want to do what this guy does in this post using RequireAndVerifyClientCert, but with gRPC:
"Getting the Server to Trust the Client"
https://ericchiang.github.io/post/go-tls/
I already have CA root and key (pem) files in the server.
Potential users can create Certificate Sign Requests with "openssl req -new...."
I can sign / approve / provide temporary CSR with "openssl x509 -req...."
I can check that certs are valid and haven't _expired_ with "openssl verify...."
So the question is:
How can I make it so that only clients connecting with a certificate signed with the root CA can call [some] functions?
If it's to much o a pain to restrict only some functions, restricting the whole gRPC server also works for me.
The authentication overview guide says it's possible to extend or customize authentication methods, but it seems like such means (MetadataCredentialsPlugin) aren't available in golang yet.
https://grpc.io/docs/guides/auth.html
Any ideas?
-Ismael
Ismael Farfán
Oct 19, 2018, 4:50:19 PM10/19/18
to grp...@googlegroups.com
I gave up and just call something like the verify example in the x509
package from the secure functions.
https://golang.org/pkg/crypto/x509/#Certificate.Verify
It's not the optimum or what I wanted, but it's better than calling
exec.Command("openssl...")
Regards
-Ismael
El vie., 19 de oct. de 2018 a la(s) 08:10, Ismael Farfan
(sulf...@gmail.com) escribió:
> --
> You received this message because you are subscribed to the Google Groups "grpc.io" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
> To post to this group, send email to grp...@googlegroups.com.
> Visit this group at https://groups.google.com/group/grpc-io.
> To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/48e78671-f576-4823-a2a4-b87ca053ed9e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Do not let me induce you to satisfy my curiosity, from an expectation,
that I shall gratify yours. What I may judge proper to conceal, does
not concern myself alone.
package from the secure functions.
https://golang.org/pkg/crypto/x509/#Certificate.Verify
It's not the optimum or what I wanted, but it's better than calling
exec.Command("openssl...")
Regards
-Ismael
El vie., 19 de oct. de 2018 a la(s) 08:10, Ismael Farfan
(sulf...@gmail.com) escribió:
> You received this message because you are subscribed to the Google Groups "grpc.io" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
> To post to this group, send email to grp...@googlegroups.com.
> Visit this group at https://groups.google.com/group/grpc-io.
> To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/48e78671-f576-4823-a2a4-b87ca053ed9e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Do not let me induce you to satisfy my curiosity, from an expectation,
that I shall gratify yours. What I may judge proper to conceal, does
not concern myself alone.
Evan Jones
Oct 22, 2018, 9:21:02 AM10/22/18
to grpc.io
I think the built-in NewServerTLSFromCert should do what you want. See the example here: https://grpc.io/docs/guides/auth.html#with-server-authentication-ssltls
Or the raw API docs: https://godoc.org/google.golang.org/grpc/credentials#NewServerTLSFromCert
Evan Jones
The gRPC documentation isn't super clear about how you should use these, but if the default configuration doesn't do what you want, you can call NewTLS with your own tls.Config that contains the options you want (e.g. the root certificate that you want to trust, etc).
Hope that helps,
Evan Jones
Ismael Farfan
Oct 22, 2018, 2:33:29 PM10/22/18
to grpc.io
Thanks, I'll give it a try : )
Reply all
Reply to author
Forward
0 new messages