Closed matze closed 1 year ago
I believe this would require configuring how we apply rustls and I am not an expert there. I would recommend looking through how you might approach this without tonic with a tcp/http stream. That solution should then be applicable to tonic.
I believe this is solved by https://github.com/hyperium/tonic/pull/1163.
Thanks! I will check once a release is made.
Feature Request
Motivation
In order to implement a self-contained CA, I would like to issue a client certificate via a gRPC endpoint (and verify the cert via a side channel). However, once client authentication is enabled, all endpoints have to be called with a client certificate. Excluding certain calls from authentication or having call credentials would allow me to implement that.
Proposal
I am not in a position to say if it's these proposals are possible or not but I'd see it like this:
Alternatives
I could start a separate non-authenticated server that just issues certificates but that is annoying because of the second port, sharing the cert information with the actual server etc.