SPIFFE certificate verification (SVID) failure

335 views
Skip to first unread message

dheera...@gmail.com

unread,
Apr 1, 2019, 12:51:20 PM4/1/19
to golang-nuts
Hi,

I am writing a gRPC client for a third party gRPC Server. Certificates issued to both Server and Client are SPIFFE based. These certificates don't have Common Name, and has SPIFFE id in URI SAN field. 
However, there is an issue while validating the server certificate which leads to Handshake failure.

go version go1.12.1 linux/amd64


CA had issued certificates for both client and server. My client code performs below steps:

1. Populate tls.Config structure 
           tlsConf.Certificates = []tls.Certificate{clientcertificate}
           tlsConf.RootCAs = caCertificatePool
           tlsConf.InsecureSkipVerify = false

2. creds = credentials.NewTLS(&tlsConf)

3. conn, err := (&net.Dialer{}).DialContext(ctx, "tcp", "servername")
   conn, _, err = creds.ClientHandshake(ctx, "servername", conn)
    
ClientHandshake returns the err "x509: certificate is not valid for any names, but wanted to match <servername>"

This error comes from https://golang.org/src/crypto/x509/verify.go file func (h HostnameError) Error() string]. 
After little debugging, it looks like below sequence of events are happening.
i) hostname is populated from addr (i.e. servername in this case) in DialWithDialer [https://golang.org/pkg/crypto/tls/#DialWithDialer]. This same hostname is populated as config.ServerName. 
ii) config.ServerName is later used to populate DNSName in VerifyOptions.
iii) Since DNSName is non-empty, VerifyHostname() is called which returns error! 

In short, when it is SPIFFE ceritificate, the hostname match should be avoided and only URI SAN should be matched. 
There is an option of InsecureSkipVerify which altogether skips hostname and certificate verification. 
I would like to know if there is an option of just skipping hostname match, and continue with rest of the certificate verification (required for mTLS).

Thanks,
Dheeraj

bradle...@gmail.com

unread,
Apr 2, 2019, 1:48:20 PM4/2/19
to golang-nuts
Have you reached out to the SPIFFE and SPIRE folks?

https://github.com/spiffe/spire

SPIRE, a reference implementation, is written in go.  They may be familiar with the issue.

Dheeraj Gedam

unread,
Apr 3, 2019, 9:12:13 AM4/3/19
to bradle...@gmail.com, golang-nuts
Hi Bradley,

Thanks for the response. 
I could get things going with go-spiffe library [https://github.com/spiffe/go-spiffe]. 
This library is essentially providing a custom verification method (tls.Config.VerifyPeerCertificate) which takes care of matching SVID. 
This one suited my need.

Regards,
Dheeraj




--
You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/SX-MajM2ZUM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages