ssl/tls grpc not available for c++?

[吴烨烽]

Here are two questions

Q1.Why the client can communicate with the server?

step1: the server configures SslServerCredentials (including server certificate and private key) to listen to the port. step2: The client configures InsecureChannelCredentials to create the channel

Q2.The client can communicate with the server, but it is not TLS through wireshark packet capture.

step1: the server configures SslServerCredentials (including server certificate and private key) to listen to the port. step2: Client configures SslCredentials (including CA certificates) to create a channel.

server codes:

std::string server_address ( "0.0.0.0:30051" );

 std::string key; 

std::string cert; 

read ( "E:\\DataCert\\server1.pem", cert ); 

read ( "E:\\DataCert\\server1.key", key ); grpc::SslServerCredentialsOptions::PemKeyCertPair keycert = { key, cert }; 

grpc::SslServerCredentialsOptions 

sslOps(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE); 

sslOps.pem_key_cert_pairs.push_back(keycert); 

std::shared_ptr<grpc::ServerCredentials> creds = grpc::SslServerCredentials(sslOps); ServerBuilder builder;

 builder.AddListeningPort(server_address, creds); GreeterServiceImpl service; 

builder.RegisterService(&service); 

 std::unique_ptr < Server > server ( builder.BuildAndStart () ); 

std::cout << "Server listening on " << server_address << std::endl; server->Wait ();

client codes:

std::string cert; 

std::string key;

 std::string root; 

read("E:\\DataCert\\ca.pem", root); 

 grpc::SslCredentialsOptions opts; 

opts.pem_root_certs = root; 

 grpc::ChannelArguments cargs; 

cargs.SetSslTargetNameOverride("foo.test.google.fr"); 

 std::string server{ "192.168.20.182:30051" }; 

std::unique_ptr<Greeter::Stub> stub_ = Greeter::NewStub(grpc::CreateCustomChannel(server, grpc::SslCredentials(opts), cargs)); 

//std::unique_ptr<Greeter::Stub> stub_ = Greeter::NewStub(grpc::CreateChannel(server, grpc::InsecureChannelCredentials())); 

std::string user ( "world" ); 

HelloRequest request; 

request.set_name(user); 

HelloReply reply; 

ClientContext context; 

Status status = stub_->SayHello(&context, request, &reply);  

[yas...@google.com]

Note that you are using `GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE`. In that mode, the server does not request (nor require) client certificates.

If you want the server to require client certificates, you could use `GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY` instead of `GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE`.

Also, note that in your client code, you would need to set the private key or the cert chain.

[wyf Heat]

Thanks for your reply.

In   `GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE`  mode,  The client needs to verify the server, and the server needs to send the server certificate to the client. These processes should also be under the TLS protocol, but through the packet capture, there is no TLS.