Hi Sam,
You're pretty close with what you have. The root certificate is the public
certificate for the Certificate Authority (CA) that you used to sign the
other certificates. There are some good blogs describing the process using
other languages, but the principle is the same. Try this one:
https://bbengfort.github.io/programmer/2017/03/03/secure-grpc.html
What you have setup is *Mutual TLS*, where the client and server both have
a public key pair and both ends are verified by each other. You could also
load only your CA Root cert on the client and that will correctly verify
the server's certificate only, not the peer's. My server is in C#, but my
clients are other languages, so I'm guessing that the API will be similar
to this:
*Server - SSL Setup, pass the credentials to the Channel constructor.*
var caCert = File.ReadAllText("Certs/MyProject_Root_CA.crt");
var serverCert = File.ReadAllText("Certs/myproject-server.crt");
var serverKey = File.ReadAllText("Certs/myproject-server.key");
var keypair = new KeyCertificatePair(serverCert, serverKey);
var sslCredentials = new SslServerCredentials(new List<KeyCertificatePair> {
keypair}, caCert, SslClientCertificateRequestType.RequestButDontVerify);
*Client - No mutual TLS*
var caCert = File.ReadAllText("MyProject_Root_CA.crt");
var sslCredentials = new SslCredentials(caCert);
var channel = new Channel("127.0.0.1", 6222, sslCredentials);
One final note is that the "subject" must match the hostname, I am probably
not explaining it correctly, but you may encounter an error such as "*No
match found for server name: 127.0.0.1.*". If so, you can override the
server name. Java clients have a simpler API, I believe the C# way would be
something like this:
var channelOptions = new[] {new ChannelOption(ChannelOptions.
SslTargetNameOverride, "myproject-server")};
var channel = new Channel("127.0.0.1", 6222, sslCredentials, channelOptions
);
In production this may be a bad idea, but I'm not too sure having read some
comments here https://github.com/grpc/grpc/issues/16759.
Hope this helps,
Joe.
On Thursday, 6 June 2019 07:58:41 UTC+1, Sam wrote:
>
> Hi all,
>
> I am attempting to create a secure connection between a gRPC client and
> server with the C# wrapper. By secure I mean that I want the safety
> properties that would avoid any kind of MITM attack, but I don’t need the
> authentication part (which will be done by higher application levels), the
> encryption is enough for my requirements.
>
> Reading gRPCs C# code comments, it seems that on the server side I can use
> “SslClientCertificateRequestType.RequestButDontVerify”, I considered
> “SslClientCertificateRequestType.DontRequest" but I get the impression that
> this would not encrypt communications, even if I provide a key pair on the
> client side.
>
> As far as I can see the client side would use a self-signed certificat
> (meaning he generates the certificate and the key pair, the certificate
> will be signed with the keypair).
>
> I can’t figure out the correct way to set this up. As far as I can see,
> after generating the key pair and the certif, it should be something like
> this:
>
> Client side - generate key pair and certificate:
> var keyCertPair = new KeyCertificatePair(File.ReadAllText("cert.pem"),
> File.ReadAllText("key.pem"));
> var channelCredentials = new SslCredentials(File.ReadAllText("cert.pem"),
> keyCertPair);
> var channel = new Channel(“127.0.0.1:5000", channelCredentials);
>
> * Notice that I’m not sure what to use for the root certificate, so I
> reuse the same.
>
> Server side - generate a different key pair and certificate:
> var keyCertPair = new KeyCertificatePair(File.ReadAllText("cert.pem"),
> File.ReadAllText("key.pem"));
> ServerCredentials credentials = new SslServerCredentials(new List<
> KeyCertificatePair> {keyCertPair}, null,
> SslClientCertificateRequestType.RequestButDontVerify);
>
>
> This will log the following server side: *No match found for server name:
> 127.0.0.1*
>
> I'm out of ideas at this point, a part from just trying stuff to make it
> work. I’m just trying to encrypt the communication, not verify the identity
> of the peer. I'm using openssl on mac to generate the key pairs and
> certificates.
>
> Thanks a lot.
> Sam
>
>
> PS: If an admin could clean up my failed attempt at editing my original
> post would be great:
> https://groups.google.com/forum/#!topic/grpc-io/vtut-JjzGxQ
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/78dcf40c-6e14-4d41-ae97-aab8dfae435b%40googlegroups.com.
