I saw below piece of code in a gRPC client that works:
ssl_metadata = grpc.ssl_channel_credentials()
channel = grpc.secure_channel('<my_grpc_server_path>:443', ssl_metadata)
I don't have the server code.
How is a secure channel created without a certificate and how will the server communicate over SSL?
Related
In our platform, the client will generate their own self-signed certificate. We will then validate the certificate external from the nginx. I use optional_no_ca and not verify the client with a trusted CA. I perform verification on the server side after nginx
I am now building the production environment with API Gateway and ALB. However, I do not know the equivalent of optional_no_ca. I want the client to verify the server cert but the client certificate should pass through to the server for some application checks.
In the TLS handshake process, the Certificate Verify message will follow the Client Key Exchange message after the server requested a client certificate. The Certificate Verify contains a digital signature computed over all previous handshake messages including the type and length fields of the handshake messages. This process allows the client to prove that it owns the private key of the client certificate it sends to the server.
The idea came from a practical problem. There is an mTLS enabled server that conducts different action policies based on the client certificate received, for example, different welcome pages for different client certificates. If a layer-7 reverse proxy service like the load balancer is placed in front of the proxied server which also requires decrypting the TLS traffic. The proxied server can only get the client certificate information from the HTTP header (for example, set proxy_set_header with $ssl_client_cert variable in NGINX) which requires modifying the logic of the server.
A simple but very troublesome solution is the reverse proxy service stores all the client certificates and their private keys. The reverse proxy service will use the same client certificate it received during the mTLS handshake process to establish the mTLS connection with the proxied server.
Since the reverse proxy service can choose whether to trust the client or not with its own implementation, it is possible to forge the Certificate Verify message by asking the client to send a second Certificate Verify signature when the proxied server needs the reverse proxy service to do so (I know it's like a man-in-the-middle attack)?
Having a grpc client and server and they are exchanging messages in grpc unary mode. I want to log all the messages the client sends to the server without changing a single line of code in both client or server. I came across to Nginx with its new graceful grpc support. Is it possible to route grpc messages from client to server via Nginx while sending a copy of them to a remote logging service? If No, please let me know if there are any other tools out there that do the same stuff.
I've seen that some app developed in Go run without tls enabled from the app, rather enabled in its proxy server(nginx). The requests coming to the app is encrypted at the nginx side only. So the Go http server is served using only http.ListenAndServe.
While using gRPC, I've seen the gRPC server served without tls enabled, and the client dial with insecure mode enabled.
I assumed all of this because you only need enable tls only if you serve requests coming from outside(external networks). If you use http and grpc for internal services communication within internal network in microservices architecture, you don't need enable tls at all since it only adds overhead. Is this true?
How is tls properly applied in Golang development for http and gRPC server?
I m trying to implement the following scenario in WinRT in c++ ,
Client----TLS -------proxy------TLS------->RemoteTLSserver
So,I did make a TCP connection with proxy,Then send a HTTP connect request for Remote TLS server. And I am successful to do it:
Client------TCP---------->proxy---------TCP(forwarding)------>Remote TLS server.
Then I use UpgradeToSslAsync(SocketProtectionLevel::Tls10,validationHostName)
(here I use my TLS server HostName as validation host).
I am getting an Exception: The token supplied to the function is invalid
Note: UpgradeToSslAsync() works with my TLS server if there is no proxy in between.
Is it possible in Windows RT to relay data through proxy server in TLS protocol?