Anand,
Can you please send me the resulting cert so that I can have a look at it?
Thanks,
Julien.
On Tuesday, June 20, 2017 at 9:52:42 AM UTC-7, Eric Anderson wrote:
>
> Julien, do you know the expected behavior after PR#5666
> <https://github.com/grpc/grpc/pull/5666>?
>
> On Tue, Jun 13, 2017 at 1:20 PM, AK <[email protected] <javascript:>>
> wrote:
>
>> Following one of group member's help as below I was able to create
>> SSL/TLS based client-server.
>>
>> You need to mint the certificate for the same CN as you connect to.
>>
>> 1. Create a server private key. This is what the server needs to have, it's
>> super-secret.
>> 2. Create a server certificate with CN=localhost, self-signed. This is
>> what the server and the client needs to have, it's public.
>> 3. In the client, use the server certificate (*not* the key) as a "roots"
>> . This will tell your client to trust servers using that certificate -
>> but only if the CN matches the address you connect to.
>> 4.In the client, connect to localhost.
>>
>>
>> At that time, gRPC only supported certificates created with hostname
>> value for CN. Now that gRPC 1.4.x supports Subject Alternate Names (SAN),
>> IP address can also be used to connect to server. But, I am having problem
>> with SANs. The moment I supply the certificates created with SAN I get the
>> following error.
>>
>> E0613 13:01:34.755411031 26365 ssl_transport_security.c:925] Handshake
>> failed with fatal error SSL_ERROR_SSL: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
>>
>> Greeter received: RPC failed
>>
>> Here is the process I used to create certificates
>>
>> mypass="pass123"
>>
>> echo Generate server key:
>>
>> openssl genrsa -passout pass:$mypass -des3 -out server.key 4096
>>
>>
>> echo Generate server signing request:
>>
>> openssl req -passin pass:$mypass -new -key server.key -out server.csr
>> -config ssl.cfg
>>
>>
>> echo Self-sign server certificate:
>>
>> openssl x509 -req -passin pass:$mypass -days 365 -in server.csr -signkey
>> server.key -set_serial 01 -out server.crt -extension v3_req -extfile ssl.cfg
>>
>>
>> echo Remove passphrase from server key:
>>
>> openssl rsa -passin pass:$mypass -in server.key -out server.key
>>
>>
>> I am wondering what mistake did I do in the above key-certificate creation
>> steps ?
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "grpc.io" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]
>> <javascript:>.
>> Visit this group at https://groups.google.com/group/grpc-io.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/grpc-io/9c0aa468-4614-465b-982f-d381bcdb96d7%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/grpc-io/9c0aa468-4614-465b-982f-d381bcdb96d7%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/e9ed7ea9-aeb1-434a-b663-9a8f4ebf68a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
