Hi Bradley, Thanks for the response. I could get things going with go-spiffe library [ https://github.com/spiffe/go-spiffe]. This library is essentially providing a custom verification method (tls.Config.VerifyPeerCertificate) which takes care of matching SVID. This one suited my need.
Regards, Dheeraj On Tue, Apr 2, 2019 at 11:18 PM <bradleyja...@gmail.com> wrote: > Have you reached out to the SPIFFE and SPIRE folks? > > https://github.com/spiffe/spiffe > https://github.com/spiffe/spire > > SPIRE, a reference implementation, is written in go. They may be familiar > with the issue. > > On Monday, April 1, 2019 at 11:51:20 AM UTC-5, Dheeraj Gedam wrote: >> >> Hi, >> >> I am writing a gRPC client for a third party gRPC Server. Certificates >> issued to both Server and Client are SPIFFE based. These certificates don't >> have Common Name, and has SPIFFE id in URI SAN field. >> However, there is an issue while validating the server certificate which >> leads to Handshake failure. >> >> *go version go1.12.1 linux/amd64* >> >> >> CA had issued certificates for both client and server. My client code >> performs below steps: >> >> 1. Populate tls.Config structure >> tlsConf.Certificates = []tls.Certificate{clientcertificate} >> tlsConf.RootCAs = caCertificatePool >> tlsConf.InsecureSkipVerify = false >> >> 2. creds = credentials.NewTLS(&tlsConf) >> >> 3. conn, err := (&net.Dialer{}).DialContext(ctx, "tcp", "servername") >> conn, _, err = creds.ClientHandshake(ctx, "servername", conn) >> >> ClientHandshake returns the err "*x509: certificate is not valid for any >> names, but wanted to match <servername>*" >> >> This error comes from *https://golang.org/src/crypto/x509/verify.go >> <https://golang.org/src/crypto/x509/verify.go>* file func (h >> HostnameError) Error() string]. >> After little debugging, it looks like below sequence of events are >> happening. >> i) hostname is populated from addr (i.e. servername in this case) in >> DialWithDialer [https://golang.org/pkg/crypto/tls/#DialWithDialer]. This >> same hostname is populated as config.ServerName. >> ii) config.ServerName is later used to populate DNSName in VerifyOptions. >> iii) Since DNSName is non-empty, VerifyHostname() is called which returns >> error! >> >> In short, when it is SPIFFE ceritificate, the hostname match should be >> avoided and only URI SAN should be matched. >> There is an option of InsecureSkipVerify which altogether skips hostname >> and certificate verification. >> I would like to know if there is an option of just skipping hostname >> match, and continue with rest of the certificate verification (required for >> mTLS). >> >> Thanks, >> Dheeraj >> >> -- > You received this message because you are subscribed to a topic in the > Google Groups "golang-nuts" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/golang-nuts/SX-MajM2ZUM/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
