There is an alternate API credentials.createFromSecureContext(), which takes as input a SecureContext object (creation API: https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions). I am not familiar with all of the options to create one of those, but if it is possible to do what you want in Node, that is where you would do it. If not, Node itself would need to change to support that functionality.
On Tue, Dec 10, 2024 at 10:18 AM 'Ivaylo Garnev' via grpc.io < grpc-io@googlegroups.com> wrote: > > *Question: Can @grpc/grpc-js Support TLS Certificate Validation Using Only > a Certificate Hash?* > *Context* > > In the current implementation of @grpc/grpc-js, creating a secure gRPC > channel requires providing the full server certificate to > credentials.createSsl(). However, in dynamic environments (e.g., > distributed networks with a frequently updated address book), it is common > to only have access to the hash of the server certificate (e.g., SHA-256). > Validating the server during the TLS handshake using just the hash is not > currently supported in the library, which creates challenges for such use > cases. > *Questions* > > 1. Is it currently possible to use only a certificate hash to validate > a server during the TLS handshake in @grpc/grpc-js? > 2. If not, are there any recommended workarounds for validating a > server certificate against a known hash using the existing library > features? > > *Why This Matters* > > Environments with dynamic address books or self-signed certificates often > only have access to certificate hashes as a trusted source of verification. > Supporting hash-based validation would: > > - Simplify integration for users in these scenarios. > - Align with the flexibility of the TLS protocol, which supports > certificate signature validation. > > -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to grpc-io+unsubscr...@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/grpc-io/33b56a0c-e8b9-4071-b2d1-48962e378f0fn%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/33b56a0c-e8b9-4071-b2d1-48962e378f0fn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/grpc-io/CAPK2-4d5ivod0kjx7_wELL6-a8%3DksBw0NTmT7axC6%2Bk%3DDw-HAQ%40mail.gmail.com.
smime.p7s
Description: S/MIME Cryptographic Signature
