Open flyingsilverfin opened 3 years ago
The handling of the CA is entirely up to gRPC since the only thing we do is passing the file path down to the gRPC server.
It looks suspicious indeed that a modified root CA can still be used so it's likely a bug. However I want to read up a bit on it before making an issue on their side.
Still occurs with latest Console, Cluster.
Can also be reproduced by simply renaming the root CA file.
Description
We expect that using the wrong or invalid root ca certificate to make an encrypted connection to cluster, it can succeed.
Environment
Tested in the Factory cluster environment
Reproducible Steps
./typedb console --cluster=typedb-cluster-0:1729 --username=admin --password--tls-enabled --tls-root-ca=<path to correct root ca>
confirm that
works
x's
./typedb console --cluster=typedb-cluster-0:1729 --username=admin --password--tls-enabled --tls-root-ca=confirm that
still works! When it should not...
Note that the way this was tested may end up with some gRPC magic that notices that a correct ssl certificate was used form the same origin before??