On Tue, Sep 5, 2017 at 1:07 PM, <[email protected]> wrote: > Is there a means for the client to obtain the certificate bytes from the > TLS negotiation that was sent by the server ? The reason I ask, to avoid a > replay security scenario the idea is for the client to hash this and send > it back with requests. >
That's pretty strange. Normally the only reason to be worried about replay attacks is if the connection is not authenticated; is the server not using a "real" certificate? Even still, "binding" data to a connection with client certificates or Channel ID[1] seems much saner (yes, those are based on the client, not the server). I'm also not quite sure how the certificate bytes actually helps anything since that's public and every client would have it. I assume you're doing a trick there as well. I honestly don't know the details of this but just trying to figure out if > it can even be done. I don't think that even converting a Java Certificate > or X509 Certificate back to bytes works because I don't think it would > guarantee idempotance. The closest I've seen > sslContext.sessionContext().getIds() > use one of those ids -> sslContext.sessionContext().getSession(id) which > has an SSLSession where there are methods to get Certificates but as noted > I don't think that's adequate. > grpc-java don't provide *any* information about the connection an RPC is on until the response headers are received. clientCall.getAttributes(Grpc.TRANSPORT_ATTR_SSL_SESSION) can get the SslSession, but I don't have any other ideas for you. 1. Not that grpc-java *supports* Channel ID -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oNQrX_%2B3yDoRRvB%3D5GJN4oY%3DKOb9aaEaSQjawmudh15sQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
