-
Notifications
You must be signed in to change notification settings - Fork 617
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom Server Certificate Verification Logic from Client Side #1965
Comments
The function Regarding the channel state issue you described, it should not be possible for a channel to be ready if none of its subchannels are ready. Are you sure that you were looking at the right subchannel? If so, that sounds like a bug, so it would be great if you could file another issue with code that reproduces that state. |
I have 2 issues with that:
Regarding the channel state, dw about that, turns out I was creating a whole new subchannel. Anyway, I did find another thing: the docs didn't say that |
You're right, the |
Is your feature request related to a problem? Please describe.
I need to put in custom logic to verifying the server certificate from the client side (and I also want to fetch this certificate for further processing because it has useful data).
The way I've currently done it is by first disabling certificate checking, then monkey patching and getting the http2session object by reaching down into the internals and fetching the socket certificate.
This allows me to verify the server certificate using my own custom logic.
However this isn't very robust solution. I've found that in some cases the http2 session object is still null in the subchannel because the subchannel state is still idle. I thought that subchannel state would be ready by the time channel state is ready, but this appears not to be the case. How can the channel state be ready while subchannel state is still not ready? Doesn't it need to verify the certificates somehow?
Describe the solution you'd like
Ideally there would be some way of hooking into the TLS logic, and passing my own certificate verification logic without monkey patching. I actually do this on both client side and server side, but this issue is about client side.
Describe alternatives you've considered
I've also looked into overriding the channel object, but It seems quite complicated since the TLS is occurring inside the http2 which is inside a subchannel.
The text was updated successfully, but these errors were encountered: