Server identity validation with secure_connect and empty ChannelCredentials

[zezic]

Is server identity validated when grpcio::ChannelBuilder::secure_connect() is used with empty credentials which are made by using just the grpcio::ChannelCredentialsBuilder::new().build() without any root certificates being explicitly provided? Does it use the system-wide certificates which are located automatically by some internal OpenSSL mechanisms?

[BusyJay]

It depends. On linux, it will load the default system root pem, otherwise it will try to use root certificates that is installed with the grpc library, for example "/usr/share/grpc/roots.pem" on MacOS. Implement details on Linux can be checked here: https://github.com/grpc/grpc/blob/master/src/core/lib/security/security_connector/load_system_roots_linux.cc#L145-L167.

[zezic]

Thanks for pointing! Currently I use it on CentOS Linux host and I have ca-certificates package installed. So, I can safely assume that if it connects to host and continue to work with it without any noticeable issues, then it successfully verified host's certificate, right?

[BusyJay]

If you are using secure connections and use it correctly, then the answer is probably yes. If you worry about it, you can set a wrong name for verifying, which is expected to fail if system certificates are correctly detected.