Subject Alternate Names problem in SSL connection
587 views
Skip to first unread message
AK
Jun 13, 2017, 4:20:53 PM6/13/17
to grpc.io
Following one of group member's help as below I was able to create SSL/TLS based client-server.
At that time, gRPC only supported certificates created with hostname value for CN. Now that gRPC 1.4.x supports Subject Alternate Names (SAN), IP address can also be used to connect to server. But, I am having problem with SANs. The moment I supply the certificates created with SAN I get the following error.
You need to mint the certificate for the same CN as you connect to.
1. Create a server private key. This is what the server needs to have, it's super-secret.
2. Create a server certificate with CN=localhost, self-signed. This is what the server and the client needs to have, it's public.
3. In the client, use the server certificate (*not* the key) as a "roots". This will tell your client to trust servers using that certificate - but only if the CN matches the address you connect to.
4.In the client, connect to localhost.
At that time, gRPC only supported certificates created with hostname value for CN. Now that gRPC 1.4.x supports Subject Alternate Names (SAN), IP address can also be used to connect to server. But, I am having problem with SANs. The moment I supply the certificates created with SAN I get the following error.
E0613 13:01:34.755411031 26365 ssl_transport_security.c:925] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
Greeter received: RPC failed
Here is the process I used to create certificates
mypass="pass123"echo Generate server key:openssl genrsa -passout pass:$mypass -des3 -out server.key 4096echo Generate server signing request:
openssl req -passin pass:$mypass -new -key server.key -out server.csr -config ssl.cfg
echo Self-sign server certificate:
openssl x509 -req -passin pass:$mypass -days 365 -in server.csr -signkey server.key -set_serial 01 -out server.crt -extension v3_req -extfile ssl.cfg
echo Remove passphrase from server key:
openssl rsa -passin pass:$mypass -in server.key -out server.key
I am wondering what mistake did I do in the above key-certificate creation steps ?
Eric Anderson
Jun 20, 2017, 12:52:42 PM6/20/17
to AK, Julien Boeuf, grpc.io
Julien, do you know the expected behavior after PR#5666?
--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscribe@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/9c0aa468-4614-465b-982f-d381bcdb96d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Julien Boeuf
Jul 7, 2017, 7:15:27 PM7/7/17
to grpc.io, anand.s...@gmail.com, jbo...@google.com
Anand,
Can you please send me the resulting cert so that I can have a look at it?
Thanks,
Julien.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
chirag panchal
Jul 29, 2021, 12:12:39 PM7/29/21
to grpc.io
I'm facing a similar issue.Was this resolved by any means???
ensan
Jul 29, 2021, 3:27:41 PM7/29/21
to grpc.io
Here's an example script I created for a side project a while ago - it works (or at least worked) so may be of use. I create a CA (private key, a csr to mint the CA root cert) and then create server and client certs for mutual TLS. Hopefully it helps: https://github.com/bensanmorris/firefly_grpc/blob/main/keys/create_certs.sh . You might want to omit certain fields (the OU field for instance).
Reply all
Reply to author
Forward
0 new messages