How to setup a GRPC SSL Client?
1,434 views
Skip to first unread message
shikhach...@gmail.com
May 3, 2016, 8:24:46 AM5/3/16
to grpc.io
Hi ,
I am creating a root CA & signing my end-user certificate with that root CA : Using https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html as reference.
- I then installed the (private key + certificated) at the server.
- Still i am getting "certificate verify" failed error.
Could you please suggest what client setup is required for configuring root CA. I think we add private root key & some cert chains as well at the client startup.
We set some environment variable as well.What all CA related stuff we should place in that path ? Root private key, CA self signed cert & what else ?
-Thanks
Shikha
Christian Svensson
May 3, 2016, 8:54:58 AM5/3/16
to Shikha Chowdhary, grpc.io
You either need to add the server certificate or the root CA certificate to the client's trust store.
On Tue, May 3, 2016 at 2:24 PM, <shikhach...@gmail.com> wrote:
I think we add private root key & some cert chains as well at the client startup.
Absolutely do not share the private key of the server or the CA. The client only need the public certificate of either the CA or the server.
Please always share the code you're using. It's hard to give you any direct advise otherwise.
shikhach...@gmail.com
May 3, 2016, 1:01:22 PM5/3/16
to grpc.io, shikhach...@gmail.com
Yeah , my mistake . Here is client code
(B) Create ( cert + key) : openssl req -x509 -newkey rsa:1024 -keyout key1024.pem -out cert1024.pem -days 240 -config conf.txt
(A)
int main ( )
{
...
SslCredentialsOptions ssl_opts = {"", "", ""};
ChannelArguments args;
args.SetSslTargetNameOverride("Foo.com");
greeterClient(CreateCustomChannel("10.2.1.1:10061, grpc::SslCredentials(ssl_opts), args));
greeterClient.Run( )
...
}
(B) Create ( cert + key) : openssl req -x509 -newkey rsa:1024 -keyout key1024.pem -out cert1024.pem -days 240 -config conf.txt
- install both on server
(C) The server created in step (B) is stored in a file "roots.pem" pointed by GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR.
(D) Client error
ssl_transport_security.c:877] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.
handshake.c:237] Handshake failed with error TSI_PROTOCOL_FAILURE
secure_channel_create.c:102] Secure handshake failed with error 1.
^C
Please suggest what setting is missing ?
-Thanks
Shikha
Reply all
Reply to author
Forward
0 new messages