Re "If server puts client's CA cert in its root pem, then SSL_get_peer_certificate will return the client's cert correctly", servers send, in the CertificateRequest message, the CAs they accept. A lot of clients will use that list to filter candidate client certificates and not even consider certificates which don't match.
On Thu, Dec 13, 2018 at 11:17 AM David Benjamin <[email protected]> wrote: > SSL_get_peer_certificate should return the certificate, yeah. Are you sure > the client sent one? Returning NULL should mean it didn't. Maybe configure > your verify callback to print something and see if it prints anything. > > On Thu, Dec 13, 2018 at 11:07 AM Jiangtao Li <[email protected]> wrote: > >> +David Benjamin <[email protected]> +Julien Boeuf <[email protected]> >> >> David, >> >> Here is scenario we have, we want to check whether it is expected >> behavior in boringssl. Client presents a certificate to server. However, >> server does not put client's CA certificate in the root pem. >> On server side, before handshake >> SSL_CTX_set_verify(SSL_VERIFY_PEER, AlwaysAcceptCallback); // >> AlwaysAcceptCallback is customized X509_STORE_CTX_set_verify_cb and always >> returns 1, which means server does not really verify the client's >> certificate chain. >> After client/server handshake successfully, >> SSL_get_peer_certificate() returns NULL. Is this intended behavior of >> SSL? I expect boringssl would return client certificate. >> >> If server puts client's CA cert in its root pem, then >> SSL_get_peer_certificate will return the client's cert correctly. >> >> Thanks, >> Jiangtao >> >> >> On Thu, Dec 13, 2018 at 8:27 AM Jiangtao Li <[email protected]> wrote: >> > You are right. If server does not put client's CA cert as root cert, >>> FindPropertyValues(GRPC_X509_PEM_CERT_PROPERTY_NAME) return nothing back. >>> It seems a bug to me. Let me debug and get back to you. Thanks much for >>> reporting this. >>> >>> Thanks, >>> Jiangtao >>> >>> >>> On Thu, Dec 13, 2018 at 2:03 AM <[email protected]> wrote: >>> >> The problem is that this property is not there when the server has no >>>> root cert(I'm pretty sure GetPeerIdentity uses GRPC_X509_ >>>> PEM_CERT_PROPERTY_NAME) >>>> : >>>> >>>> // ssl_opts.pem_root_certs = ca_cert; >>>> >>>> I1213 10:55:11.344137202 19144 subchannel.cc:656] New >>>> connected subchannel at 0xad4830 for subchannel 0x7fffd0008400 >>>> D1213 10:55:11.344300801 19153 grpc_auth.h:45] >>>> DebugPrintAuthContext: transport_security_type = ssl >>>> D1213 10:55:11.344309721 19153 grpc_auth.h:45] >>>> DebugPrintAuthContext: ssl_session_reused = false >>>> D1213 10:55:11.344314347 19153 grpc_auth.h:33] >>>> DebugPrintInputMetadata: :authority = localhost:11043 [hex: >>>> 6c6f63616c686f73743a3131303433] >>>> D1213 10:55:11.344320586 19153 grpc_auth.h:33] >>>> DebugPrintInputMetadata: :path = /skcapipb.SkcApi/ >>>> DeviceIdentityAutolink[hex: >>>> 2f736b6361706970622e536b634170692f4465766963654964656e746974794175746f6c696e6b >>>> ] >>>> D1213 10:55:11.344323637 19153 grpc_auth.h:33] >>>> DebugPrintInputMetadata: accept-encoding = identity,gzip [hex: >>>> 6964656e746974792c677a6970] >>>> D1213 10:55:11.344326047 19153 grpc_auth.h:33] >>>> DebugPrintInputMetadata: app_id = TODO_test_app_id [hex: >>>> 544f444f5f746573745f6170705f6964] >>>> D1213 10:55:11.344328340 19153 grpc_auth.h:33] >>>> DebugPrintInputMetadata: app_key = TODO_test_app_key [hex: >>>> 544f444f5f746573745f6170705f6b6579] >>>> D1213 10:55:11.344330996 19153 grpc_auth.h:33] >>>> DebugPrintInputMetadata: grpc-accept-encoding = identity,deflate,gzip [ >>>> hex: 6964656e746974792c6465666c6174652c677a6970] >>>> D1213 10:55:11.344333631 19153 grpc_auth.h:33] >>>> DebugPrintInputMetadata: grpc-trace-bin = [hex: >>>> 000085c7a4e05140a4080a09f1925b739819016b27e1e513b773ed0200] >>>> D1213 10:55:11.344336142 19153 grpc_auth.h:33] >>>> DebugPrintInputMetadata: user-agent = grpc-c++/1.16.0 grpc-c/6.0.0 ( >>>> linux; chttp2; gao) [hex: >>>> 677270632d632b2b2f312e31362e3020677270632d632f362e302e3020286c696e75783b206368747470323b2067616f29 >>>> ] >>>> >>>> >>>> *VS* >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> *ssl_opts.pem_root_certs = ca_cert;I1213 10:54:27.822408055 18834 >>>> subchannel.cc:656] New connected subchannel at 0xad35d0 for >>>> subchannel 0x7fffd4008400D1213 10:54:27.822553761 18854 grpc_auth.h:45] >>>> DebugPrintAuthContext: transport_security_type = sslD1213 >>>> 10:54:27.822562749 18854 grpc_auth.h:45] >>>> DebugPrintAuthContext: x509_common_name = localhostD1213 10:54:27.822568911 >>>> 18854 grpc_auth.h:45] DebugPrintAuthContext: x509_pem_cert = >>>> -----BEGIN >>>> CERTIFICATE-----MIIFNDCCAxwCAQEwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxDTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTgxMTI5MTQ1NzI4WhcNMTkxMTI5MTQ1NzI4WjBiMQswCQYDVQQGEwJGUjEPMA0GA1UECAwGRnJhbmNlMQ4wDAYDVQQHDAVQYXJpczENMAsGA1UECgwEVGVzdDEPMA0GA1UECwwGQ2xpZW50MRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQD3TojD/WAZvn17s3PKXKQFwB2FQ3SEkM06UUJXe3W7Lto4yBdu6gWK7BGrJCqN1jkAcQKqoWQ1DgnlZQXaVeX/RiJTRb6jIPd8Kk620sYjcAQ/F3EI0yhlH+qszJzYeMShnCyvmqWNdHSKB7X8R/r+WikhOr22oJskDwG+skE0ehBzXc/0c4euwK+POI89yv1BYIk9EgWHr2puU8wGFFVj3DHo+p//BXf9SH3kTIYidiX7z/zN4vTAwU10SgUxFXJXDU5X0mOv1AqF5o+ELJ7lQClX0gpZ5zuHrVMPwlgJyaWiO8MPoBP7ozNZdJihu5La9v/O9RfCKpNxO/wvCj80igY+ymIw9n0+ouNkkrQOVUCxThZVD9rIRWd9FajZeijiwYi7P8keU+UdlQBa0Y/OcP6hst1b+2Pm5i7HJz5ZXgsEAhywGvuKw//+xILlfoInUCFVafgBaMdLdauTlUu+Zcw6kPepBBt79p9nanKo3W2xlq1tESjCS8XIN9YUWYsAIFLMhW3HYIvnrhNHomh6adCYGTBiLxn5r0jB9N3Xf0kx4pTI6GiTYMhGVJcejlycKwEqy6vHWQj47rYuyLOWnBtwjJ+itp3NYDaMxz1QveIiE0ECveQEjcVYU1gJTgwo0ieoVDub0YCTeo40Lir67JdSOeInHByqoO6ptOXfPwIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQCx4HGvc9vNXRn76IjMKl9Jj/84T5rYumNPRPu7GgL5EgvdPGRO0baqETL1+iOlNwkNM91K8ggDeUutj+od6RD9lgBMuzeFsY/mCkKNxzn8D7/vjUIDkar9C7BUABh8V0CqhMcBJ0kOramjtM/Vzb0DGlU8W8rqd9rCHBg+X/Ut6mf0yofD1aAxoBZfSDzDWgMs6tLpFMEnA+4cQqcyThbcTwRGi2uthk0sYmZm5mMgcRpDEARC4wah9WiDeioiw5fmhq8i6F2PWzYelSkY3uynPITtQljStqziseV5ZsVOUPqmCffDIUuh* >>>> >>> >>>> *opluaLKVINPxRgn6ksxY526cebn/<span style="color:rgb(102,0,102)" >>>> class="m_8444382121985872722m_6520396557009402669m_3633894517602340111gmail-m_1529790313407667673gmail-m_-3830410836943948300styled* >>>> >>> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CAF8qwaDL0TmQzt8f3U6fZhujZg586f8RmC07Vk-%3DTNvm1Q_zTQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
