admin管理员组文章数量:1315258
My code works for insecure and server-side auth. I have read everything I can find, and I think the code is set up correctly. Something is incorrect, and I need help.
FULL ERROR: alert bad certificate:ssl/record/rec_layer_s3.c:908:SSL alert number 42
The cert, key and root CA were created with mkcert on the mac. I have them in files and reference them via config file.
TEST RUN on Certs:
openssl verify -CAfile rootCA.crt localhost.crt
localhost.crt: OK
openssl x509 -noout -modulus -in localhost.crt | openssl md5
MD5(stdin)= 2458874611c7bad14f86a76c4b28a332
openssl rsa -noout -modulus -in ../localhost-private.key | openssl md5
MD5(stdin)= 2458874611c7bad14f86a76c4b28a332
NOTE: I have not include loadConfig. It clearly works.
Client Config:
grpc_host: "localhost"
grpc_port: 50051
grpc_secure:
mutual: true
grpc_tls_info:
tls_certificate_fqn: "/Volumes/development-share/.keys/mac-localhost/tls/certs/client-localhost.crt"
tls_private_key_fqn: "/Volumes/development-share/.keys/mac-localhost/tls/client-localhost.key"
tls_ca_bundle_fqn: "/Volumes/development-share/.keys/mac-localhost/tls/certs/rootCA.crt"
Server Config:
grpc_host: "localhost"
grpc_port: 50051
grpc_secure:
mutual: true
grpc_tls_info:
tls_certificate_fqn: "/Volumes/development-share/.keys/mac-localhost/tls/certs/localhost.crt"
tls_private_key_fqn: "/Volumes/development-share/.keys/mac-localhost/tls/localhost-private.key"
tls_ca_bundle_fqn: "/Volumes/development-share/.keys/mac-localhost/tls/certs/rootCA.crt"
GRPC Service Code: (Called from the server)
func NewGRPCService(
extensionName string,
config GRPCConfiguration,
) (gRPCServicePtr *GRPCService, errorInfo errs.ErrorInfo) {
var (
tCertificate tls.Certificate
tCACertPool *x509.CertPool
tGRPCListener net.Listener
tTLSConfig *tls.Config
tTransportCredentials credentials.TransportCredentials
)
gRPCServicePtr = &GRPCService{
host: config.GRPCHost,
}
if tGRPCListener, errorInfo.Error = net.Listen(ctv.VAL_TCP, fmt.Sprintf("%s:%d", ctv.VAL_LOCAL_HOST, config.GRPCPort)); errorInfo.Error != nil {
errorInfo = errs.NewErrorInfo(errorInfo.Error, errs.BuildLabelValue(ctv.LBL_GRPC_LISTENER, ctv.TXT_FAILED))
return
}
gRPCServicePtr.GRPCListenerPtr = &tGRPCListener
tTLSConfig = &tls.Config{}
switch {
case config.GRPCSecure.ServerSide:
if tCertificate, errorInfo = LoadTLSCredentialsWithKey(config.GRPCTLSInfo); errorInfo.Error != nil {
return
}
tTLSConfig.Certificates = []tls.Certificate{tCertificate}
tTLSConfig.ClientAuth = tls.NoClientCert
tTransportCredentials = credentials.NewTLS(tTLSConfig)
gRPCServicePtr.GRPCServerPtr = grpc.NewServer(grpc.Creds(tTransportCredentials))
if hlps.CheckPointerNotNil(gRPCServicePtr.GRPCServerPtr, errs.ErrPointerMissing, ctv.FN_GRPC_SERVER_POINTER); errorInfo.Error != nil {
return
}
case config.GRPCSecure.Mutual:
if tCertificate, errorInfo = LoadTLSCredentialsWithKey(config.GRPCTLSInfo); errorInfo.Error != nil {
return
}
if tCACertPool, errorInfo = LoadTLSCACertificate(config.GRPCTLSInfo); errorInfo.Error != nil {
return
}
tTLSConfig.Certificates = []tls.Certificate{tCertificate}
tTLSConfig.RootCAs = tCACertPool
tTLSConfig.ClientCAs = tCACertPool
tTLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
tTransportCredentials = credentials.NewTLS(tTLSConfig)
gRPCServicePtr.GRPCServerPtr = grpc.NewServer(grpc.Creds(tTransportCredentials))
default:
// This is the default security if server side and mutual are both set to false.
tTLSConfig.ClientAuth = tls.NoClientCert
gRPCServicePtr.GRPCServerPtr = grpc.NewServer()
}
return
}
func LoadTLSCACertificate(tlsConfig jwts.TLSInfo) (caCertPoolPtr *x509.CertPool, errorInfo errs.ErrorInfo) {
var (
tCACertificateFile []byte
)
if tCACertificateFile, errorInfo.Error = os.ReadFile(tlsConfig.TLSCABundleFQN); errorInfo.Error != nil {
errorInfo = errs.NewErrorInfo(errorInfo.Error, errs.BuildLabelValue(ctv.LBL_TLS_CA_BUNDLE_FILENAME, tlsConfig.TLSCABundleFQN))
return
}
caCertPoolPtr = x509.NewCertPool()
if ok := caCertPoolPtr.AppendCertsFromPEM(tCACertificateFile); !ok {
errorInfo = errs.NewErrorInfo(errorInfo.Error, errs.BuildLabelValue(ctv.LBL_TLS_CA_CERT_POOL, ctv.TXT_FAILED))
}
return
}
func LoadTLSCredentialsWithKey(tlsConfig jwts.TLSInfo) (certificate tls.Certificate, errorInfo errs.ErrorInfo) {
if certificate, errorInfo.Error = tls.LoadX509KeyPair(tlsConfig.TLSCertFQN, tlsConfig.TLSPrivateKeyFQN); errorInfo.Error != nil {
errorInfo = errs.NewErrorInfo(
errorInfo.Error, fmt.Sprintf(
"%s, %s", errs.BuildLabelValue(ctv.LBL_TLS_CERTIFICATE_FILENAME, tlsConfig.TLSCertFQN), errs.BuildLabelValue(
ctv.LBL_TLS_PRIVATE_KEY_FILENAME,
tlsConfig.TLSPrivateKey,
),
),
)
}
return
}
Server Main.go
func main() {
var (
errorInfo errs.ErrorInfo
tConfig grpcs.GRPCConfiguration
tGRPCServicePtr *grpcs.GRPCService
tSecurityLevel string
)
if tConfig, errorInfo = loadConfig(configFilename); errorInfo.Error != nil {
log.Fatalf("Failed to serve: %v", errorInfo.Error)
}
tGRPCServicePtr, errorInfo = grpcs.NewGRPCService(utilityName, tConfig)
pb.RegisterGRPCTestServicesServer(tGRPCServicePtr.GRPCServerPtr, &Server{})
switch {
case tConfig.GRPCSecure.Mutual:
tSecurityLevel = "Mutual"
case tConfig.GRPCSecure.ServerSide:
tSecurityLevel = "Server Side"
default:
tSecurityLevel = "Insecure"
}
log.Printf("Serving gRPC on port %v / Security Level: %s", tConfig.GRPCPort, tSecurityLevel)
if err := tGRPCServicePtr.GRPCServerPtr.Serve(*tGRPCServicePtr.GRPCListenerPtr); err != nil {
log.Fatalf("Failed to serve: %v", err)
}
fmt.Println(tGRPCServicePtr, errorInfo)
}
Client Main.go:
func main() {
var (
errorInfo errs.ErrorInfo
tCACertPoolPtr *x509.CertPool
tClientCertificate tls.Certificate
tConfig grpcs.GRPCConfiguration
tConn *grpc.ClientConn
tPongReply *pb.Pong
tTLSConfig *tls.Config
tTransportCredentials credentials.TransportCredentials
)
if tConfig, errorInfo = loadConfig(configFilename); errorInfo.Error != nil {
log.Fatalf("failed to load configuration file: %v", errorInfo.Error)
}
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
defer cancel()
if tClientCertificate, errorInfo = grpcs.LoadTLSCredentialsWithKey(tConfig.GRPCTLSInfo); errorInfo.Error != nil {
log.Fatalf("failed to load TLS credentials: %v", errorInfo.Error)
}
if tCACertPoolPtr, errorInfo = grpcs.LoadTLSCACertificate(tConfig.GRPCTLSInfo); errorInfo.Error != nil {
log.Fatalf("failed to load TLS CA certificate: %v", errorInfo.Error)
}
tTLSConfig = &tls.Config{
RootCAs: tCACertPoolPtr,
ClientCAs: tCACertPoolPtr,
Certificates: []tls.Certificate{tClientCertificate},
}
tTLSConfig.ServerName = ctv.LOCAL_HOST
tTLSConfig.InsecureSkipVerify = false
tTransportCredentials = credentials.NewTLS(tTLSConfig)
tConn, errorInfo.Error = grpc.NewClient(fmt.Sprintf("%s:%v", tConfig.GRPCHost, tConfig.GRPCPort), grpc.WithTransportCredentials(tTransportCredentials))
if errorInfo.Error != nil {
log.Fatalf("failed to connect to gRPC server at %s: %v", fmt.Sprintf("%s:%v", tConfig.GRPCHost, tConfig.GRPCPort), errorInfo.Error)
}
defer func(conn *grpc.ClientConn) {
err := conn.Close()
if err != nil {
}
}(tConn)
c := pb.NewGRPCTestServicesClient(tConn)
if tPongReply, errorInfo.Error = c.DKPing(
ctx, &pb.Ping{
Email: "[email protected]",
},
); errorInfo.Error != nil {
errorInfo = errs.NewErrorInfo(errorInfo.Error, ctv.VAL_EMPTY)
}
log.Printf("Our ping got back: %v", tPongReply)
if errorInfo.Error != nil {
log.Printf("Error: %v", errorInfo.Error.Error())
}
}
本文标签: gogRPC mutual auth of certs gets bad certificate on client sideStack Overflow
版权声明:本文标题:go - gRPC mutual auth of certs gets bad certificate on client side - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741981051a2408397.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论