grpc-java icon indicating copy to clipboard operation
grpc-java copied to clipboard

Published 20 hours ago verified publisher icon grpc

Perform hostname checking on :authority before issuing call

Open ejona86 opened this issue 10 years ago • 6 comments

We allow users to override the authority per-call, but we currently don't do any verification that that authority would be permitted for the current server. We should verify the provided authority against the TLS cert of the connection and fail in some way if the cert is not good for the requested authority. We would cache these verifications for the connection in a simple hash map.

It is the Java equivalent of https://github.com/grpc/grpc/pull/471

ejona86 avatar Feb 10 '15 23:02 ejona86

We need to decide if CallOptions.withAuthority will be Experimental

carl-mastrangelo avatar Apr 21 '16 22:04 carl-mastrangelo

It would have been nice for 1.0, but being realistic it won't happen by then.

ejona86 avatar Jun 09 '16 17:06 ejona86

Does this still need to happen for 1.1?

carl-mastrangelo avatar Jan 13 '17 19:01 carl-mastrangelo

There are some internal users that use this. Mostly used in tests by the prod team.

larry-safran avatar Jun 14 '23 18:06 larry-safran

Currently authority-based routing in nginx works with any identifier (not a domain name) passed as authority. That would stop working if this issue is eventually implemented, am I correct?

panchenko avatar Feb 27 '24 21:02 panchenko

If you use TLS and the authority is not covered by the TLS certificate, yes, that would not work.

ejona86 avatar Feb 29 '24 15:02 ejona86