I've implemented a tls version of helloworld/
greeter_client and
server.
First test case (failing one)
Then I followed
theses steps to create certificate, keys, etc...
greeter_tls_server is run
~/sources/github.com/grpc/grpc/examples/cpp/helloworld$ ./greeter_tls_server localhost 50051 ca.crt server.crt server.key
greeter_tls_client is run
~/sources/github.com/grpc/grpc/examples/cpp/helloworld$ ./greeter_tls_client localhost 50051 localhost ca.crt
greeter_tls_client fails
SSL target name override : SET TO [localhost]
E0404 16:43:27.918287000 140735524692800 ssl_transport_security.cc:1063] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
E0404 16:43:27.933634000 140735524692800 ssl_transport_security.cc:1063] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
14: Connect Failed
Greeter TLS received: RPC failed
Java HelloWorldTlsClient from grpc-java succeeds:
~/sources/github.com/grpc/grpc-java/examples$ ./build/install/examples/bin/hello-world-tls-client localhost 50051 ca.crt
Apr 04, 2018 4:40:52 PM io.grpc.examples.helloworldtls.HelloWorldClientTls greet
INFO: Will try to greet localhost ...
Apr 04, 2018 4:40:52 PM io.grpc.examples.helloworldtls.HelloWorldClientTls greet
INFO: Greeting: TLS Hello localhost
Second test case (success)
The grpc repository contains certificate and keys generated in
src/core/tsi/test_creds. (BTW I've not been able to regenerate theses files myself following the provided
README)
This second test case uses the credentials of grpc repository.
greeter_tls_server:
~/sources/github.com/grpc/grpc/examples/cpp/helloworld$ ./greeter_tls_server localhost 50051 ../../../src/core/tsi/test_creds/ca.pem ../../../src/core/tsi/test_creds/server0.pem ../../../src/core/tsi/test_creds/server0.key
greeter_tls_client succeeds:
~/sources/github.com/grpc/grpc/examples/cpp/helloworld$ ./greeter_tls_client localhost 50051 foo.test.google.com.au ../../../src/core/tsi/test_creds/ca.pem
SSL target name override : SET TO [foo.test.google.com.au]
Greeter TLS received: TLS Hello world
Java HelloWorldTlsClient fails (I guess the domain *.
test.google.com.au should be specified somewhere)
Apr 04, 2018 4:54:10 PM io.grpc.examples.helloworldtls.HelloWorldClientTls greet
INFO: Will try to greet localhost ...
Apr 04, 2018 4:54:10 PM io.grpc.examples.helloworldtls.HelloWorldClientTls greet
WARNING: RPC failed: Status{code=UNAVAILABLE, description=io exception, cause=javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:634)
....
Caused by: java.security.cert.CertificateException: No name matching localhost found
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221)
Conclusion : Using the credentials from the grpc repository, greeter_tls_client works ok against greeter_tls_server.