akarneliuk / pygnmi

The pure Python implementation of the gNMI client.
https://training.karneliuk.com
BSD 3-Clause "New" or "Revised" License
130 stars 44 forks source link

Mutual TLS (mTLS) support #55

Closed tlovenspclsauce closed 2 years ago

tlovenspclsauce commented 2 years ago

Do you support mTLS and do you have any working examples using both client and server certs? I've tried various combinations of this without success.

with gNMIclient(target=host, username='admin', password='password', path_root='/certs/ca.cert.pem', path_key='/certs/ca.nopass.key', path_cert='/certs/client.crt', override='theSubject') as gc:

akarneliuk commented 2 years ago

Hello @instantioc ,

we don't have example of the mTLS, because we so far haven't seen the usecases, where it is needed. Could you please elaborate more on what is yours one?

Best, Anton

tlovenspclsauce commented 2 years ago

The use case is for more security conscious users that do not want to rely only on a username and password. The client authenticates to the server with a certificate and the client also verifies the server cert. Both certs would be issued by and verified by an enterprise CA. The gNMI implementation/spec supports mTLS already and is supported in many server/appliances from various manufacturers (Cisco, Arista, Juniper). The gNXI GO based client published by Google already supports this but I'm interested in the existing python based clients already in place and programmed around.

https://github.com/openconfig/reference/blob/master/rpc/gnmi/gnmi-authentication.md

tlovenspclsauce commented 2 years ago

I got this working finally. Here's a sample of what I did for others needing help. Maybe some additions to the docs would help too. The override should match a SAN in the server side certificate.

with gNMIclient(target=host, path_root='/Users/someuser/certs/ca.crt', path_key='/Users/someuser/certs/client.key', path_cert='/Users/someuser/certs/client.crt', override='10.10.10.10') as gc:

akarneliuk commented 2 years ago

Thanks @instantioc ,

we'll create update docs.

Best, Anton