Have you reached out to the SPIFFE and SPIRE folks?
https://github.com/spiffe/spiffe
https://github.com/spiffe/spire
SPIRE, a reference implementation, is written in go. They may be familiar
with the issue.
On Monday, April 1, 2019 at 11:51:20 AM UTC-5, Dheeraj Gedam wrote:
>
> Hi,
>
> I am writing a gRPC client for a third party gRPC Server. Certificates
> issued to both Server and Client are SPIFFE based. These certificates don't
> have Common Name, and has SPIFFE id in URI SAN field.
> However, there is an issue while validating the server certificate which
> leads to Handshake failure.
>
> *go version go1.12.1 linux/amd64*
>
>
> CA had issued certificates for both client and server. My client code
> performs below steps:
>
> 1. Populate tls.Config structure
> tlsConf.Certificates = []tls.Certificate{clientcertificate}
> tlsConf.RootCAs = caCertificatePool
> tlsConf.InsecureSkipVerify = false
>
> 2. creds = credentials.NewTLS(&tlsConf)
>
> 3. conn, err := (&net.Dialer{}).DialContext(ctx, "tcp", "servername")
> conn, _, err = creds.ClientHandshake(ctx, "servername", conn)
>
> ClientHandshake returns the err "*x509: certificate is not valid for any
> names, but wanted to match <servername>*"
>
> This error comes from *https://golang.org/src/crypto/x509/verify.go
> <https://golang.org/src/crypto/x509/verify.go>* file func (h
> HostnameError) Error() string].
> After little debugging, it looks like below sequence of events are
> happening.
> i) hostname is populated from addr (i.e. servername in this case) in
> DialWithDialer [https://golang.org/pkg/crypto/tls/#DialWithDialer]. This
> same hostname is populated as config.ServerName.
> ii) config.ServerName is later used to populate DNSName in VerifyOptions.
> iii) Since DNSName is non-empty, VerifyHostname() is called which returns
> error!
>
> In short, when it is SPIFFE ceritificate, the hostname match should be
> avoided and only URI SAN should be matched.
> There is an option of InsecureSkipVerify which altogether skips hostname
> and certificate verification.
> I would like to know if there is an option of just skipping hostname
> match, and continue with rest of the certificate verification (required for
> mTLS).
>
> Thanks,
> Dheeraj
>
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
