- Abstract
Using the C++ interface, if I setup a server using SslServerCredentials and just give the grpc::ServerBuilder instance a IP to create the Listening Port.
The code of server-side is shown below:
And the code of client-side is shown below:
// Ssl-Cert info of client side encapsulationMy question is that, the grpc connection between server and client using IP only works fine without the Ssl secure channel inserted.
But if I insert the Ssl Credential info as above, error found as below.
- Error Found
client_side:
(base) user@user-machine:~/grpc/examples/cpp/helloworld$GRPC_VERBOSITY=DEBUG ./greeter_client
D0207 16:02:57.197850779 16548 dns_resolver_ares.cc:504] Using ares dns resolver
D0207 16:02:57.204809585 16548 security_handshaker.cc:184] Security handshake failed: {"created":"@1612684977.204796431","description":"Peer name 127.0.0.1 is not in peer certificate","file":"~/grpc/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc","file_line":57}
I0207 16:02:57.204886270 16548 subchannel.cc:1033] Connect failed: {"created":"@1612684977.204796431","description":"Peer name 127.0.0.1 is not in peer certificate","file":"~/grpc/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc","file_line":57}
I0207 16:02:57.204919892 16548 subchannel.cc:972] Subchannel 0x55f0ee4cb360: Retry in 993 milliseconds
14: failed to connect to all addresses
Greeter received: RPC failed
server_side:
(base) user@user-machine:~/grpc/examples/cpp/helloworld$ GRPC_VERBOSITY=DEBUG ./greeter_server
D0207 16:02:43.985391400 16542 dns_resolver_ares.cc:504] Using ares dns resolver
I0207 16:02:43.985475962 16542 server_builder.cc:332] Synchronous server. Num CQs: 1, Min pollers: 1, Max Pollers: 2, CQ timeout (msec): 10000
Server listening on 127.0.0.1:50051
E0207 16:02:57.200528351 16546 ssl_transport_security.cc:1723] No match found for server name: 127.0.0.1.
client_self_signed_cert_info:
openssl x509 -in ~/grpc/examples/cpp/helloworld/ssl_key1/client_self_signed_crt.pem -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = FuJian, L = XiaMen, O = YaXon, OU = gRPC, CN = 127.0.0.1
Validity
Not Before: Feb 7 07:13:41 2021 GMT
Not After : Feb 5 07:13:41 2031 GMT
Subject: C = CN, ST = FuJian, L = XiaMen, O = YaXon, OU = gRPC, CN = 127.0.0.1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
...
(server_self_signed_cert is the same as above)
ca_cert_info:
openssl x509 -in ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = FuJian, L = XiaMen, O = YaXon, OU = gRPC, CN = 127.0.0.1
Validity
Not Before: Feb 7 07:13:41 2021 GMT
Not After : Feb 5 07:13:41 2031 GMT
Subject: C = CN, ST = FuJian, L = XiaMen, O = YaXon, OU = gRPC, CN = 127.0.0.1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
...
X509v3 Authority Key Identifier:
..
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
…
- Question && Requirement
Can we skip Validation of IP or Hostname info within the Cert?
After investigation and analysis of your source code and testing example, I found that the ‘hostname validation’ is enforced in your grpc-ssl-secure-channel connection.
I wonder if there is a ‘controller-param’ in server and client’ args to shut down the hostname identify validation, while setting up the connection.
Application Scenario:
In my application scenario, there are only one server and multiple clients.
(Each client holds different IP address)
And the only common info between the client and server is the IP. Client and server knew each other’s IP address, but the multiple clients only hold one Client_Cert.
Testing Result:
args.SetSslTargetNameOverride("test");
--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/e2aefd33-1f3c-4f22-8e54-b7681269a176n%40googlegroups.com.
Overriding (or worst, ignoring) the CN is a bad security practice.It's far better to generate the correct certificate with the correct Common Name (or use the SAN, subject alternative name to match the host you attend to talk)
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2BbEEAcoxORSAVu4zh_abaHb28R5o%3DKuQQCT0MDmDTQsrV4GiA%40mail.gmail.com.