[grpc-io] SSL connection failure on gRPC v1.4.x

Sun, 10 Sep 2017 06:42:42 -0700 

After updating my C# client and C# server from gRPC v1.3.6 to v1.4.1, I 
encountered a problem the client could not establish a secure SSL 
connection to the server, when passing empty private key from the client 
side.

The server is configured like this:
var cacert = config.ChannelRootCertificates; // ca.crt
var servercert = config.ChannelCertificateChain; // server.crt
var serverkey = config.ChannelPrivateKey; // server.key
var keypair = new KeyCertificatePair(servercert, serverkey);
var sslCredentials = new SslServerCredentials(new 
List<KeyCertificatePair>() { keypair }, cacert, false); // **** don't 
forceClientAuth

The client is configured like this:
var cacert = Encoding.ASCII.GetString(Certificates.ca);
var clientcert = Encoding.ASCII.GetString(Certificates.client);
var clientkey = Encoding.ASCII.GetString(Certificates.clientkey);
var keypair = new KeyCertificatePair(clientcert, null); // **** Passing 
NULL private key for the client
var sslCredentials = new SslCredentials(cacert, keypair);

Up to version 1.3.6, the connection was established successfully.
The NULL private key means that the server does not enforce the identity of 
the client (but the client still enforces the identity of the server).
When I change the private key parameter in the KeyCertificatePair, to the 
real private key, the connection works fine.

My question is:

   1. Did the authentication logic was intentionally changed between the 
   versions, and the failure is a feature and not a bug?
   2. Under those circumstances, how can I establish an SSL connection 
   without making the client to have a private key? (I don't care about 
   authenticating the client's identity in the server)

Thanks!




-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/35c6cb7a-1693-4114-8fa2-ed5868a1c3ce%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to