SSL_get_peer_certificate should return the certificate, yeah. Are you sure the client sent one? Returning NULL should mean it didn't. Maybe configure your verify callback to print something and see if it prints anything.
On Thu, Dec 13, 2018 at 11:07 AM Jiangtao Li <[email protected]> wrote: > +David Benjamin <[email protected]> +Julien Boeuf <[email protected]> > > David, > > Here is scenario we have, we want to check whether it is expected behavior > in boringssl. Client presents a certificate to server. However, server does > not put client's CA certificate in the root pem. > On server side, before handshake > SSL_CTX_set_verify(SSL_VERIFY_PEER, AlwaysAcceptCallback); // > AlwaysAcceptCallback is customized X509_STORE_CTX_set_verify_cb and always > returns 1, which means server does not really verify the client's > certificate chain. > After client/server handshake successfully, > SSL_get_peer_certificate() returns NULL. Is this intended behavior of SSL? > I expect boringssl would return client certificate. > > If server puts client's CA cert in its root pem, then > SSL_get_peer_certificate will return the client's cert correctly. > > Thanks, > Jiangtao > > > On Thu, Dec 13, 2018 at 8:27 AM Jiangtao Li <[email protected]> wrote: > You are right. If server does not put client's CA cert as root cert, >> FindPropertyValues(GRPC_X509_PEM_CERT_PROPERTY_NAME) return nothing back. >> It seems a bug to me. Let me debug and get back to you. Thanks much for >> reporting this. >> >> Thanks, >> Jiangtao >> >> >> On Thu, Dec 13, 2018 at 2:03 AM <[email protected]> wrote: >> > The problem is that this property is not there when the server has no root >>> cert(I'm pretty sure GetPeerIdentity uses GRPC_X509_ >>> PEM_CERT_PROPERTY_NAME) >>> : >>> >>> // ssl_opts.pem_root_certs = ca_cert; >>> >>> I1213 10:55:11.344137202 19144 subchannel.cc:656] New >>> connected subchannel at 0xad4830 for subchannel 0x7fffd0008400 >>> D1213 10:55:11.344300801 19153 grpc_auth.h:45] >>> DebugPrintAuthContext: transport_security_type = ssl >>> D1213 10:55:11.344309721 19153 grpc_auth.h:45] >>> DebugPrintAuthContext: ssl_session_reused = false >>> D1213 10:55:11.344314347 19153 grpc_auth.h:33] >>> DebugPrintInputMetadata: :authority = localhost:11043 [hex: >>> 6c6f63616c686f73743a3131303433] >>> D1213 10:55:11.344320586 19153 grpc_auth.h:33] >>> DebugPrintInputMetadata: :path = /skcapipb.SkcApi/DeviceIdentityAutolink >>> [hex: >>> 2f736b6361706970622e536b634170692f4465766963654964656e746974794175746f6c696e6b >>> ] >>> D1213 10:55:11.344323637 19153 grpc_auth.h:33] >>> DebugPrintInputMetadata: accept-encoding = identity,gzip [hex: >>> 6964656e746974792c677a6970] >>> D1213 10:55:11.344326047 19153 grpc_auth.h:33] >>> DebugPrintInputMetadata: app_id = TODO_test_app_id [hex: >>> 544f444f5f746573745f6170705f6964] >>> D1213 10:55:11.344328340 19153 grpc_auth.h:33] >>> DebugPrintInputMetadata: app_key = TODO_test_app_key [hex: >>> 544f444f5f746573745f6170705f6b6579] >>> D1213 10:55:11.344330996 19153 grpc_auth.h:33] >>> DebugPrintInputMetadata: grpc-accept-encoding = identity,deflate,gzip [ >>> hex: 6964656e746974792c6465666c6174652c677a6970] >>> D1213 10:55:11.344333631 19153 grpc_auth.h:33] >>> DebugPrintInputMetadata: grpc-trace-bin = [hex: >>> 000085c7a4e05140a4080a09f1925b739819016b27e1e513b773ed0200] >>> D1213 10:55:11.344336142 19153 grpc_auth.h:33] >>> DebugPrintInputMetadata: user-agent = grpc-c++/1.16.0 grpc-c/6.0.0 ( >>> linux; chttp2; gao) [hex: >>> 677270632d632b2b2f312e31362e3020677270632d632f362e302e3020286c696e75783b206368747470323b2067616f29 >>> ] >>> >>> >>> *VS* >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> *ssl_opts.pem_root_certs = ca_cert;I1213 10:54:27.822408055 18834 >>> subchannel.cc:656] New connected subchannel at 0xad35d0 for >>> subchannel 0x7fffd4008400D1213 10:54:27.822553761 18854 grpc_auth.h:45] >>> DebugPrintAuthContext: transport_security_type = sslD1213 >>> 10:54:27.822562749 18854 grpc_auth.h:45] >>> DebugPrintAuthContext: x509_common_name = localhostD1213 10:54:27.822568911 >>> 18854 grpc_auth.h:45] DebugPrintAuthContext: x509_pem_cert = >>> -----BEGIN >>> CERTIFICATE-----MIIFNDCCAxwCAQEwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxDTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTgxMTI5MTQ1NzI4WhcNMTkxMTI5MTQ1NzI4WjBiMQswCQYDVQQGEwJGUjEPMA0GA1UECAwGRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczENMAsGA1UECgwEVGVzdDEPMA0GA1UECwwGQ2xpZW50MRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQD3TojD/WAZvn17s3PKXKQFwB2FQ3SEkM06UUJXe3W7Lto4yBdu6gWK7BGrJCqN1jkAcQKqoWQ1DgnlZQXaVeX/RiJTRb6jIPd8Kk620sYjcAQ/F3EI0yhlH+qszJzYeMShnCyvmqWNdHSKB7X8R/r+WikhOr22oJskDwG+skE0ehBzXc/0c4euwK+POI89yv1BYIk9EgWHr2puU8wGFFVj3DHo+p//BXf9SH3kTIYidiX7z/zN4vTAwU10SgUxFXJXDU5X0mOv1AqF5o+ELJ7lQClX0gpZ5zuHrVMPwlgJyaWiO8MPoBP7ozNZdJihu5La9v/O9RfCKpNxO/wvCj80igY+ymIw9n0+ouNkkrQOVUCxThZVD9rIRWd9FajZeijiwYi7P8keU+UdlQBa0Y/OcP6hst1b+2Pm5i7HJz5ZXgsEAhywGvuKw//+xILlfoInUCFVafgBaMdLdauTlUu+Zcw6kPepBBt79p9nanKo3W2xlq1tESjCS8XIN9YUWYsAIFLMhW3HYIvnrhNHomh6adCYGTBiLxn5r0jB9N3Xf0kx4pTI6GiTYMhGVJcejlycKwEqy6vHWQj47rYuyLOWnBtwjJ+itp3NYDaMxz1QveIiE0ECveQEjcVYU1gJTgwo0ieoVDub0YCTeo40Lir67JdSOeInHByqoO6ptOXfPwIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQCx4HGvc9vNXRn76IjMKl9Jj/84T5rYumNPRPu7GgL5EgvdPGRO0baqETL1+iOlNwkNM91K8ggDeUutj+od6RD9lgBMuzeFsY/mCkKNxzn8D7/vjUIDkar9C7BUABh8V0CqhMcBJ0kOramjtM/Vzb0DGlU8W8rqd9rCHBg+X/Ut6mf0yofD1aAxoBZfSDzDWgMs6tLpFMEnA+4cQqcyThbcTwRGi2uthk0sYmZm5mMgcRpDEARC4wah9WiDeioiw5fmhq8i6F2PWzYelSkY3uynPITtQljStqziseV5ZsVOUPqmCffDIUuhopluaLKVINPxRgn6ksxY526cebn/RSYLBDGPGhrORF1YGr9UYOL8DtTqYbnG7w4l0EviO/R+OUYsNpt94cso3CnqvsN3Tnu+aEMX7d4/KJTTnfP5NlGPegN/UxQqufGoR/jHUzOUd07186LqDMaz+em5Mj8lte9AjeY4WNSJCq2KK6tRac+efrUHXBiPFyI95GQCIpf0ZSFw1B+DPYfpOcLsGy1ETtddIMhDMY1gOyKBHNKW5mGZz5pdUmSgLSOWKa2CdLK1JNcLNaB2gM7Yrch58wVhoWaPTrL+IBqwth+5ATYY7fKv51tiPm+bRq8ROD1YFpvISiZhcefhm0e1IQXB5wPorZMPnBt9LJhc9r73aVjcxUlMvw==-----END >>> CERTIFICATE-----D1213 10:54:27.822593407 18854 grpc_auth.h:45] >>> DebugPrintAuthContext: ssl_session_reused = falseD1213 10:54:27.822597844 >>> 18854 grpc_auth.h:33] DebugPrintInputMetadata: :authority = >>> localhost:11043 [hex: 6c6f63616c686f73743a3131303433]D1213 >>> 10:54:27.822603860 18854 grpc_auth.h:33] >>> DebugPrintInputMetadata: :path = >>> /skcapipb.SkcApi/DeviceIdentityAutolink[hex: >>> 2f736b6361706970622e536b634170692f4465766963654964656e746974794175746f6c696e6b]D1213 >>> 10:54:27.822606896 18854 grpc_auth.h:33] >>> DebugPrintInputMetadata: accept-encoding = identity,gzip [hex: >>> 6964656e746974792c677a6970]* >>> >> >>> *D1213 10:54:27.822610022 18854 grpc_auth.h<span style="color:rgb* >>> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CAF8qwaDtqA%3DxeQEwtc4n_WY8F9c8CLBoAgbYo9PbeQ0KOECXag%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
