SslClientCertificateRequestType.DontRequest will encrypt the connection if the client requests that (if client uses SslCredentials, the connection must be encrypted), it just also allows non-encrypted connections (client using ChannelCredentials.Insecure) to be accepted by the server (= a scenario where server accepts both encrypted and unencrypted connections and has logic to decide how to handle them).
For your example, you always need to set the roots.pem on the client, otherwise you can't be sure that you're talking to the right server. See examples here (sets up regular TLS connection without verifying the client, but establishes we are talking to the right server). https://github.com/jtattermusch/grpc-authentication-kubernetes-examples/blob/979345cca801b71eba9f8ffc67e13bf57c33a211/greeter-client/Program.cs#L86 https://github.com/jtattermusch/grpc-authentication-kubernetes-examples/blob/979345cca801b71eba9f8ffc67e13bf57c33a211/greeter-server/Program.cs#L74 On Thu, Jun 6, 2019 at 8:45 AM Sam <[email protected]> wrote: > Hi all, > > I am attempting to create a secure connection between a gRPC client and > server with the C# wrapper. By secure I mean that I want the safety > properties that would avoid any kind of MITM attack, but I don’t need the > authentication part (which will be done by higher application levels), the > encryption is enough for my requirements. > > Reading gRPCs C# code comments, it seems that on the server side it seems > I can use “SslClientCertificateRequestType.RequestButDontVerify”, I would > use “SslClientCertificateRequestType.DontRequest" but I get the impression > that this would not encrypt communications, even if I provide a key pair on > the client side. > > As far as I can see the client side would use a self-signed certificat > (meaning he generates the certificate and the key pair, the certificate > will be signed with the keypair). > > I can’t figure out the correct way to set this up. As far as I can see, > after generating the key pair and the certif, it should be something like > this: > > *Client side* - generate key pair and certificate: > var keyCertPair = new KeyCertificatePair(File.ReadAllText("cert.pem"), > File.ReadAllText("key.pem")); > var channelCredentials = new SslCredentials(*null*, keyCertPair); > var channel = new Channel(“127.0.0.1:5000", channelCredentials); > > * Notice that I’m not sure what to use for the root certificate. > > *Server side* - generate a different key pair and certificate: > var keyCertPair = new KeyCertificatePair(File.ReadAllText("cert.pem"), > File.ReadAllText("key.pem")); > ServerCredentials credentials = new SslServerCredentials(new List< > KeyCertificatePair> {keyCertPair}, *null*, > SslClientCertificateRequestType.RequestButDontVerify); > > > This will log the following client side: > > Handshaker factory creation failed with TSI_INVALID_ARGUMENT > Failed to create secure subchannel for secure name '127.0.0.1:5000’Enter > code here... > > > > I'm out of ideas at this point a part from just trying stuff to make it > work. I’m just trying to encrypt the communication, not verify the identity > of the peer. I'm using openssl on mac to generate the key pairs and > certificates. > > Thanks a lot. > Sam > > -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/7cc06a2f-05c6-46bd-9376-eb6795edc8f1%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/7cc06a2f-05c6-46bd-9376-eb6795edc8f1%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Jan -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CACF4M0Qfsfi9NkiKU_-979D%2BF9H644wYB40uHPcHtGM753yW0w%40mail.gmail.com.
smime.p7s
Description: S/MIME Cryptographic Signature
