Can we skip Validation of IP or Hostname info within the Cert during the grpc SSL secure connection??

[yang ma]

- Abstract

Using the C++ interface, if I setup a server using SslServerCredentials and just give the grpc::ServerBuilder instance a IP to create the Listening Port.

The code of server-side is shown below:

// Ssl-Cert info of server side encapsulation grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp = { serverKey.c_str(), serverCert.c_str() }; 

grpc::SslServerCredentialsOptions ssl_opts(GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY); ssl_opts.pem_root_certs = clientCert; 

ssl_opts.pem_key_cert_pairs.push_back(pkcp); 

std::shared_ptr<grpc::ServerCredentials> creds; 

creds = grpc::SslServerCredentials(ssl_opts); 

// Create server listening port 

std::string server_address("127.0.0.1:50051"); 

ServerBuilder builder; 

builder.AddListeningPort(server_address, creds);

And the code of client-side is shown below:

// Ssl-Cert info of client side encapsulation 

grpc::SslCredentialsOptions ssl_opts; 

ssl_opts.pem_root_certs = servercert; 

ssl_opts.pem_private_key = clientkey; 

ssl_opts.pem_cert_chain = clientcert; 

// Client side IP and params setup 

std::string hostname{"127.0.0.1:50051"}; 

std::shared_ptr<grpc::ChannelCredentials> creds = grpc::SslCredentials(ssl_opts); grpc::ChannelArguments args; 

auto channel = grpc::CreateCustomChannel(hostname creds, args);

My question is that, the grpc connection between server and client using IP only works fine without the Ssl secure channel inserted.

But if I insert the Ssl Credential info as above, error found as below.

- Error Found

client_side:

(base) user@user-machine:~/grpc/examples/cpp/helloworld$GRPC_VERBOSITY=DEBUG ./greeter_client

D0207 16:02:57.197850779 16548 dns_resolver_ares.cc:504] Using ares dns resolver

D0207 16:02:57.204809585 16548 security_handshaker.cc:184] Security handshake failed: {"created":"@1612684977.204796431","description":"Peer name 127.0.0.1 is not in peer certificate","file":"~/grpc/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc","file_line":57}

I0207 16:02:57.204886270 16548 subchannel.cc:1033] Connect failed: {"created":"@1612684977.204796431","description":"Peer name 127.0.0.1 is not in peer certificate","file":"~/grpc/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc","file_line":57}

I0207 16:02:57.204919892 16548 subchannel.cc:972] Subchannel 0x55f0ee4cb360: Retry in 993 milliseconds

14: failed to connect to all addresses

Greeter received: RPC failed

server_side:

(base) user@user-machine:~/grpc/examples/cpp/helloworld$ GRPC_VERBOSITY=DEBUG ./greeter_server

D0207 16:02:43.985391400 16542 dns_resolver_ares.cc:504] Using ares dns resolver

I0207 16:02:43.985475962 16542 server_builder.cc:332] Synchronous server. Num CQs: 1, Min pollers: 1, Max Pollers: 2, CQ timeout (msec): 10000

Server listening on 127.0.0.1:50051

E0207 16:02:57.200528351 16546 ssl_transport_security.cc:1723] No match found for server name: 127.0.0.1.

client_self_signed_cert_info:

openssl x509 -in ~/grpc/examples/cpp/helloworld/ssl_key1/client_self_signed_crt.pem -text -noout

Certificate:

Data:

Version: 1 (0x0)

Serial Number:

...

Signature Algorithm: sha256WithRSAEncryption

Issuer: C = CN, ST = FuJian, L = XiaMen, O = YaXon, OU = gRPC, CN = 127.0.0.1

Validity

Not Before: Feb 7 07:13:41 2021 GMT

Not After : Feb 5 07:13:41 2031 GMT

Subject: C = CN, ST = FuJian, L = XiaMen, O = YaXon, OU = gRPC, CN = 127.0.0.1

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (2048 bit)

Modulus:

...

Exponent: 65537 (0x10001)

Signature Algorithm: sha256WithRSAEncryption

...

(server_self_signed_cert is the same as above)

ca_cert_info:

openssl x509 -in ca.crt -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

...

Signature Algorithm: sha256WithRSAEncryption

Issuer: C = CN, ST = FuJian, L = XiaMen, O = YaXon, OU = gRPC, CN = 127.0.0.1

Validity

Not Before: Feb 7 07:13:41 2021 GMT

Not After : Feb 5 07:13:41 2031 GMT

Subject: C = CN, ST = FuJian, L = XiaMen, O = YaXon, OU = gRPC, CN = 127.0.0.1

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (2048 bit)

Modulus:

...

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

...

X509v3 Authority Key Identifier:

..

X509v3 Basic Constraints: critical

CA:TRUE

Signature Algorithm: sha256WithRSAEncryption

…

- Question && Requirement

Can we skip Validation of IP or Hostname info within the Cert?

After investigation and analysis of your source code and testing example, I found that the ‘hostname validation’ is enforced in your grpc-ssl-secure-channel connection.

I wonder if there is a ‘controller-param’ in server and client’ args to shut down the hostname identify validation, while setting up the connection.

Application Scenario:

In my application scenario, there are only one server and multiple clients.

(Each client holds different IP address)

And the only common info between the client and server is the IP. Client and server knew each other’s IP address, but the multiple clients only hold one Client_Cert.

Testing Result:

• Set up the Addresss as ‘localhost:50051’ both in server and client side, my script works fine.
• Set up the Address as ‘127.0.0.1:50051’ and attach the IP info in the Ssl-Cert using SANs extension, my script also works fine.(How to attach the IP info to the Ssl-Cert can be found in the below link: https://medium.com/@antelle/how-to-generate-a-self-signed-ssl-certificate-for-an-ip-address-f0dd8dddf75)
• Set up the Address as ‘127.0.0.1:50051’ and attach the hostname info through SetTargetNameOverride, my script also works fine. So what I want to know, can be simply understood as: Does the setting of SetTargetNameOverride really solve the problem in the right way? For I just want to skip the validation of hostname.

[Sachin Bharadwaj S]

Hi Yang,

Have a CN in the certificate and then use SetSslTargetNameOverride(<CN>)

For example, if CN is "test"

args.SetSslTargetNameOverride("test");

Regards,

Sachin

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/e2aefd33-1f3c-4f22-8e54-b7681269a176n%40googlegroups.com.

[Frédéric Martinsons]

Sorry I forgot the reply all :(

Le lun. 22 févr. 2021 à 19:58, Frédéric Martinsons <frederic....@gmail.com> a écrit :

Overriding (or worst, ignoring) the CN is a bad security practice.

 It's far better to generate the correct certificate with the correct Common Name (or use the SAN, subject alternative name to match the host you attend to talk) 

To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2BbEEAcoxORSAVu4zh_abaHb28R5o%3DKuQQCT0MDmDTQsrV4GiA%40mail.gmail.com.