Julien, do you know the expected behavior after PR#5666 <https://github.com/grpc/grpc/pull/5666>?
On Tue, Jun 13, 2017 at 1:20 PM, AK <[email protected]> wrote: > Following one of group member's help as below I was able to create SSL/TLS > based client-server. > > You need to mint the certificate for the same CN as you connect to. > > 1. Create a server private key. This is what the server needs to have, it's > super-secret. > 2. Create a server certificate with CN=localhost, self-signed. This is > what the server and the client needs to have, it's public. > 3. In the client, use the server certificate (*not* the key) as a "roots". > This will tell your client to trust servers using that certificate - but > only if the CN matches the address you connect to. > 4.In the client, connect to localhost. > > > At that time, gRPC only supported certificates created with hostname value > for CN. Now that gRPC 1.4.x supports Subject Alternate Names (SAN), IP > address can also be used to connect to server. But, I am having problem > with SANs. The moment I supply the certificates created with SAN I get the > following error. > > E0613 13:01:34.755411031 26365 ssl_transport_security.c:925] Handshake > failed with fatal error SSL_ERROR_SSL: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. > > Greeter received: RPC failed > > Here is the process I used to create certificates > > mypass="pass123" > > echo Generate server key: > > openssl genrsa -passout pass:$mypass -des3 -out server.key 4096 > > > echo Generate server signing request: > > openssl req -passin pass:$mypass -new -key server.key -out server.csr -config > ssl.cfg > > > echo Self-sign server certificate: > > openssl x509 -req -passin pass:$mypass -days 365 -in server.csr -signkey > server.key -set_serial 01 -out server.crt -extension v3_req -extfile ssl.cfg > > > echo Remove passphrase from server key: > > openssl rsa -passin pass:$mypass -in server.key -out server.key > > > I am wondering what mistake did I do in the above key-certificate creation > steps ? > > -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/grpc-io. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/grpc-io/9c0aa468-4614-465b-982f-d381bcdb96d7%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/9c0aa468-4614-465b-982f-d381bcdb96d7%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oNRTcKyJ6AOFBimi6_1wZQto4pWL3x%2BH%2BdohOvn8KBhFA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
