Looking at your code, there's seems to be a flaw - when using SslCredentials, you can either use 1. the root certificate (cacert) in case you only want to authenticate the server and you don't care about authenticating the client. Example: "new SslCredentials(cacert)" - this seems to be what you want. 2. or you provide the full key certificate pair on the client, which will allow authenticating the client on the server. Example: new SslCredentials(cacert, new KeyCertificatePair(clientcert, privatekey));
What you are doing is something in-between these two and doesn't really make much sense. Also, the KeyCertificatePair doesn't accept null for the private key and it's been like since 2years ago. https://github.com/grpc/grpc/blob/5253c8f9a899450397a5e46e4923d01ac9a66a27/src/csharp/Grpc.Core/KeyCertificatePair.cs#L40 So I have trouble believing that your snippet actually worked in C# 1.3.6 version at all. On Sunday, September 10, 2017 at 3:42:22 PM UTC+2, [email protected] wrote: > > After updating my C# client and C# server from gRPC v1.3.6 to v1.4.1, I > encountered a problem the client could not establish a secure SSL > connection to the server, when passing empty private key from the client > side. > > The server is configured like this: > var cacert = config.ChannelRootCertificates; // ca.crt > var servercert = config.ChannelCertificateChain; // server.crt > var serverkey = config.ChannelPrivateKey; // server.key > var keypair = new KeyCertificatePair(servercert, serverkey); > var sslCredentials = new SslServerCredentials(new > List<KeyCertificatePair>() { keypair }, cacert, false); // **** don't > forceClientAuth > > The client is configured like this: > var cacert = Encoding.ASCII.GetString(Certificates.ca); > var clientcert = Encoding.ASCII.GetString(Certificates.client); > var clientkey = Encoding.ASCII.GetString(Certificates.clientkey); > var keypair = new KeyCertificatePair(clientcert, null); // **** Passing > NULL private key for the client > var sslCredentials = new SslCredentials(cacert, keypair); > > Up to version 1.3.6, the connection was established successfully. > The NULL private key means that the server does not enforce the identity > of the client (but the client still enforces the identity of the server). > When I change the private key parameter in the KeyCertificatePair, to the > real private key, the connection works fine. > > My question is: > > 1. Did the authentication logic was intentionally changed between the > versions, and the failure is a feature and not a bug? > 2. Under those circumstances, how can I establish an SSL connection > without making the client to have a private key? (I don't care about > authenticating the client's identity in the server) > > Thanks! > > > > > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/3f3434fd-d2d8-440a-b4d5-fc3b6ffe20a9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
