Skip to content

tls: ValidateAuthority must only use the leaf certificate for matching SANs #8721

New issue
New issue
Open
Bug
Open
tls: ValidateAuthority must only use the leaf certificate for matching SANs#8721
Bug
Assignees
gtcooke94
Labels
Area: AuthIncludes regular credentials API and implementation. Also includes advancedtls, authz, rbac etc.P2Type: Bug
@arjan-bal

Description

@arjan-bal
arjan-bal
opened on Nov 20, 2025

I noticed that the authority override call option is validated by the Tls client creds in an unexpected way.

grpc-go/credentials/tls.go

Lines 57 to 67 in 50c6321

func (t TLSInfo) ValidateAuthority(authority string) error {
var errs []error
for _, cert := range t.State.PeerCertificates {
var err error
if err = cert.VerifyHostname(authority); err == nil {
return nil
}
errs = append(errs, err)
}
return fmt.Errorf("credentials: invalid authority %q: %v", authority, errors.Join(errs...))
}

The code is iterating over the whole chain here. My understanding is that PeerCertificates[0] is the leaf, and that is the only certificate we should be checking the hostname against.

Validating against the rest of the chain seems to imply we accept a situation where the Authority header matches the name of an Intermediate CA, which doesn't seem right.

gRPC Java and C++ don't seem to validate the hostname from the HTTP2 authority header override against the TLS cert SANs at all.

Metadata

Metadata

Assignees

Labels

Area: AuthIncludes regular credentials API and implementation. Also includes advancedtls, authz, rbac etc.P2Type: Bug

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions