grpc-node TLS sample code is not complete.

Created on 12 Apr 2018  路  7Comments  路  Source: grpc/grpc-node

Hi gurus,
I am a newbee to node.js and grpc. So a good sample code is really appreciated.

The grpc-node TLS sample code is in https://grpc.io/docs/guides/auth.html#nodejs not complete.
For example, no sample code for TLS client side.
The strange thing is,
https://grpc.io/grpc/node/grpc.credentials.html
createSsl( [root_certs] [, private_key] [, cert_chain])
Create an SSL Credentials object. If using a client-side certificate, both the second and third arguments must be passed.
Why are private key and cert chain needed for client side?
They are not needed for grpc-go TLS client side.
https://github.com/grpc/grpc-go/issues/1980

Most helpful comment

There is some confusion here and I'm not certain if you are trying to initiate a "normal" TLS connection to a server from the client side or if you are instead trying to connect to a server that performs client authentication via certs ("mutual TLS").

If it is the latter ("mutual TLS"), then you do need to pass the client cert (cert_chain) and private key for the cert (private_key) because the server you are connecting to requires it. Furthermore, the go example you point to (which I think is more pointing to the example here) is not doing mutual TLS (which requires providing a client-side cert/key) but rather it is just initiating a "normal" TLS connection to the server.

If it is the former (you are not doing mutual TLS), the optional [, private_key] [, cert_chain] parts would be omitted when making the call (which would match the go example you link to).

Hopefully that helps. I stumbled on this issue looking for other issues here and thought I would try to help clear things up.

All 7 comments

There is some confusion here and I'm not certain if you are trying to initiate a "normal" TLS connection to a server from the client side or if you are instead trying to connect to a server that performs client authentication via certs ("mutual TLS").

If it is the latter ("mutual TLS"), then you do need to pass the client cert (cert_chain) and private key for the cert (private_key) because the server you are connecting to requires it. Furthermore, the go example you point to (which I think is more pointing to the example here) is not doing mutual TLS (which requires providing a client-side cert/key) but rather it is just initiating a "normal" TLS connection to the server.

If it is the former (you are not doing mutual TLS), the optional [, private_key] [, cert_chain] parts would be omitted when making the call (which would match the go example you link to).

Hopefully that helps. I stumbled on this issue looking for other issues here and thought I would try to help clear things up.

grpc nodejs docs are appalling. What shall I supply in root_certs? Buffer of what?

@celesteking were you able to figure that out? We are having the same issue. In particular, node's root certs (require("tls").rootCertificates) are an array of strings

The root certs is supposed to be a Buffer loaded from a root certificates file. If you want to use the default public root certificates, just omit that argument. It is supposed to be used with self-signed certificates, or certificates that otherwise don't have a signing chain that includes one of the main root certificate authorities.

An example of self-signed certificates can be found in this directory: https://github.com/grpc/grpc-node/tree/master/test/data. The ca.pem file contains the root certificate.

@murgatroid99 I don't believe the code works like that. The following example from the grpc-js, but I believe the native version works the same way. If ssl is missing, it looks for an environment variable called GRPC_DEFAULT_SSL_ROOTS_FILE_PATH (which is still a single .pem I believe).

https://github.com/grpc/grpc-node/blob/1d14203c382509c3f36132bd0244c99792cb6601/packages/grpc-js/src/tls-helpers.ts#L30

If that environment variable is not set, it defaults to using the built in root certificates.

Also, I'm not sure if this is clear: one .pem file can contain information for multiple certificates.

Thank you guys for the time on this ticket.
Since I am not working on this anymore, please feel free to close the ticket if needed.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ozt88 picture ozt88  路  3Comments

samiq picture samiq  路  5Comments

Aswathi17 picture Aswathi17  路  3Comments

respinha picture respinha  路  6Comments

keyvhinng picture keyvhinng  路  5Comments