I built what I thought was as secure Go gRPC app, we have a RootCA signed certificate working and everything pretty much works.
Little did I know, you can use a tool like "gRPCurl -insecure" and grab (my) data as if TLS wasn't even there. I missed something in the way gRPC binds and makes endpoints available. I need to be able to LOCK DOWN endpoints so that only TLS secure connections (that I further inspect and process) are allowed, somehow, even with all the effort to setup TLS, it still is quite easy to bypass with a tool like gRPCurl. What am I doing wrong, is there a config file I need to set up, do I need to pass a parameter to the network binding, is this a public private scoping issue at the code level--I'm lost? My two questions are: 1) Is there a way to force *secure only* connections? 2) Is it better in gRPC to check security (e.g. jwt tokens) at the call level or can gRPC be secured at a session level. Is there even a concept of a SESSION in gRPC, or is it better thought of as a multiplex of independent connections that each need to be managed independently. -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/784b40f0-11e2-47cb-9718-637a8220427f%40googlegroups.com.
