Skip to content

advancedtls: Use the New tls.Config.VerifyConnection callback #3610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ZhenLian opened this issue May 8, 2020 · 7 comments
Closed

advancedtls: Use the New tls.Config.VerifyConnection callback #3610

ZhenLian opened this issue May 8, 2020 · 7 comments
Assignees
@ZhenLian
Labels
P2 Type: Feature New features or improvements in behavior Type: Internal Cleanup Refactors, etc Type: Security A bug or other problem affecting security

Comments

@ZhenLian
Copy link
Contributor

ZhenLian commented May 8, 2020

Use case(s) - what problem will this feature solve?

A new verification method was recently introduced in PR https://go-review.googlesource.com/c/go/+/229122/ , with the initiative to have all the connection information(such as ServerName, PeerCertificate, etc) in verify callbacks. The original issue is golang/go#36736.

We might also want to switch to use this method in advancedtls, to improve internal code quality and reduce duplicate code with main tls library of gRPC. Right now we are using a workaround of building verification callback in a closure, which could be improved after this function is used.

No API Changes are expected. This is intended for internal code quality enhancement.

Proposed Solution

Use tls.Config.VerifyConnection(s ConnectionState) in advancedtls.

@jiangtaoli2016 FYI.
@ZhenLian ZhenLian added Type: Feature New features or improvements in behavior Type: Internal Cleanup Refactors, etc Type: Security A bug or other problem affecting security labels May 8, 2020
@ZhenLian ZhenLian self-assigned this May 8, 2020
@menghanl menghanl added the P2 label May 14, 2020
@ghost
Copy link

ghost commented Oct 18, 2020

@ZhenLian I'm looking into this issue and I have one question at the moment. I don't understand the statement here https://github.com/grpc/grpc-go/blob/master/security/advancedtls/advancedtls.go#L446-L447.

//   2. will ignore basic certificate check when setting InsecureSkipVerify
//   to true.

I understand that buildVerifyFunc's purpose is to support root cert reloading and the verifyFunc callback but I'm not sure how ...will ignore basic certificate check when setting InsecureSkipVerify is relevant to buildVerifyFunc.

May you elaborate on this?

@ghost
Copy link

ghost commented Oct 18, 2020

@ZhenLian I'm looking into this issue and I have one question at the moment. I don't understand the statement here https://github.com/grpc/grpc-go/blob/master/security/advancedtls/advancedtls.go#L446-L447.

//   2. will ignore basic certificate check when setting InsecureSkipVerify
//   to true.

I understand that buildVerifyFunc's purpose is to support root cert reloading and the verifyFunc callback but I'm not sure how ...will ignore basic certificate check when setting InsecureSkipVerify is relevant to buildVerifyFunc.

May you elaborate on this?

Since we are reloading the root CA certs in buildVerifyFunc is InsecureSkipVerify being set to true so that we may verify the client/server certificates using the reloaded root CA certs?

@ZhenLian
Copy link
Contributor Author

@kadenlnelson
Yes, the reason we are settingInsecureSkipVerify to true on tls.Config is for root credential reloading and custom verification. If this field is set to true, the underlying stack would bypass both the certificate check and the hostname check.

@ghost ghost mentioned this issue Oct 19, 2020
Closed
@ghost
Copy link

ghost commented Oct 19, 2020
edited by ghost
Loading

@ZhenLian May you take a look at my work in progress PR? https://github.com/grpc/grpc-go/pull/3963/files

Also in reference to;

No API Changes are expected. This is intended for internal code quality enhancement.

Not sure how this is going to be possible since the function signature is changing to use;

	VerifyPeer func(tls.ConnectionState) error

@ghost
Copy link

ghost commented Oct 21, 2020

@ZhenLian before I go ahead and add tests/docs, does my draft pull request assess the issue accordingly?

@ZhenLian
Copy link
Contributor Author

I left some comments. Feel free to let me know if you have any questions. Thanks!

@easwars
Copy link
Contributor

easwars commented May 4, 2021

The PR mentioned here was closed a while back due to inactivity. Hence, closing this one as well.

@easwars easwars closed this as completed May 4, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 31, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ZhenLian ZhenLian

Labels
P2 Type: Feature New features or improvements in behavior Type: Internal Cleanup Refactors, etc Type: Security A bug or other problem affecting security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

security/advancedtls: use the new tls.Config.VerifyConnection callback
3 participants
@menghanl @easwars @ZhenLian