-- Golang app server TLS connections to mobile clients --
Everything is working except the FULL CHAIN of trust is not being sent.
I created a pfx file (full identity file) converted it to PEM, loaded it
into a Go app (code below) and it works great except the INTERMEDIATE
certificates are not being sent as part of the chain of trust.
I've tried all the examples I can find, but none have resolved my issue.
I'm also using online TLS checker tools that mostly check web servers, I'm
not sure if better tools exist for testing pure gRPC connections besides
other one-off gRPC apps.
Again, this is a pure gRPC, non-web related connection. Below is a snippet
of code that is 99% working with comodo TLS certs, I'm concerned that my
issue may be with the CertPool and how it gets passed to tls.Config. I'm
following the examples but something is not working; also, it's not
entirely obvious whether an event hook is required to fetch and unwind the
CertPool or if the TLS libs can unwind everything in the proper order:
host_key, [INTERMEDIATES], RootCA_key; I have to assume so.
// Load the certificates from disk
//
certificate, err := tls.LoadX509KeyPair(crt, key)
if err != nil {
return fmt.Errorf("could not load server key pair: %s", err)
} else {
log.Println("loaded key pair")
}
// Read FullChain file from disk
//
CACert, err := ioutil.ReadFile(ca)
if err != nil {
return fmt.Errorf("could not read CACert certificate: %s", err)
} else {
log.Println("Found Cert Bundle")
}
// Create a certificate pool to hold certificates from authorities
//
certPool, _ := x509.SystemCertPool()
// Append the client certificates from the CA
//
if ok := certPool.AppendCertsFromPEM(CACert); !ok {
log.Println("----- Error: Not able to Append Certs to CertPool -----")
} else {
log.Println("Loaded PEM certs")
}
// TLS configuration object
//
tlsConfig := &tls.Config{
RootCAs: certPool,
Certificates: []tls.Certificate{certificate},
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
PreferServerCipherSuites: true,
// Forbid all TLS below 1.2
MinVersion: tls.VersionTLS12,
}
s := grpc.NewServer(
grpc.Creds(credentials.NewTLS(tlsConfig)),
grpc.KeepaliveParams(
keepalive.ServerParameters{
Time: (time.Duration((300) * time.Second)),
Timeout: (time.Duration(10) * time.Second),
},
),
grpc.KeepaliveEnforcementPolicy(
keepalive.EnforcementPolicy{
MinTime: (time.Duration((300) * time.Second)),
PermitWithoutStream: true,
},
),
)
[... start listening boilerplate...]
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/75d70ea4-9339-4692-95c8-57c3a3ef33b0%40googlegroups.com.
