Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

gRPC-C++: Logging SSL handshake failures

157 views
Skip to first unread message

Rameshreddy Mudhireddy

unread,
Jan 15, 2025, 5:56:15 PMJan 15
to grpc.io
Hi,

I need to log cert based authentication failures and I don't see any hooks available to interact with the SSL handshake at the point of rejection. I found the following hooks but these seems to be after the handshake itself.

1.  TlsServerCredentialsOptions struct has the set_certificate_verifier() API which is for custom verifications, gets invoked only after the SSL handshake is completed. 
2. grpc::AuthMetadataProcessor::Process() API is also after the handshake itself.
3. C++ interceptors are also after the handshake is completed (builder.experimental().SetInterceptorCreators())

This can be done easily in grpc-go by wrapping credentials.TransportCredentials and implementing ServerHandshake() API to capture failures and logging them. 

Is this even possible using gRPC-C++ libs? Please advise.

Gregory Cooke

unread,
Jan 27, 2025, 2:32:10 PMJan 27
to grpc.io
Hey,

Can you please give me a little more detail around exactly what you're trying to do and looking to log? Are you trying to do it server side or client side?

In the meanwhile, https://github.com/grpc/grpc/blob/master/TROUBLESHOOTING.md has info about more verbose logging - it further links to all of the GRPC_TRACE values that you can set for more detailed logging as well.

Rameshreddy Mudhireddy

unread,
Jan 27, 2025, 6:25:05 PMJan 27
to grpc.io
hi Gregory,

Thank you for the response. This is for server side. On server side I would like log an event/maintain counters when a client authentication fails and log details like subject, CN, spiffe, etc from the client certificate that was being rejected.

Regarding GRPC_TRACE option, once turned on it will be logging for all events but not for a particular event like client connection rejection.

Gregory Cooke

unread,
Jan 28, 2025, 3:11:49 PMJan 28
to grpc.io
Hello,

Thank you for the extra detail - given that, unfortunately I don't think there's currently a good solution to what you are asking for.
It would have to be a new feature addition to gRPC - you can open an issue on github for the feature request. The more evidence we have suggesting this is a commonly-needed use case, the more likely the feature is to be implemented.

Rameshreddy Mudhireddy

unread,
Jan 31, 2025, 11:21:37 AMJan 31
to grpc.io
Thanks Gregory, I will open a feature request. Appreciate your help.

Ramesh

Rameshreddy Mudhireddy

unread,
Jan 31, 2025, 2:20:41 PMJan 31
to grpc.io
opened a Feature Request https://github.com/grpc/grpc/issues/38665 

Regards
Ramesh

Reply all
Reply to author
Forward
0 new messages