Hi Bradley,
Thanks for the response.
I could get things going with go-spiffe library [
https://github.com/spiffe/go-spiffe].
This library is essentially providing a custom verification method
(tls.Config.VerifyPeerCertificate) which takes care of matching SVID.
This one suited my need.
Regards,
Dheeraj
On Tue, Apr 2, 2019 at 11:18 PM wrote:
> Have you reached out to the SPIFFE and SPIRE folks?
>
> https://github.com/spiffe/spiffe
> https://github.com/spiffe/spire
>
> SPIRE, a reference implementation, is written in go. They may be familiar
> with the issue.
>
> On Monday, April 1, 2019 at 11:51:20 AM UTC-5, Dheeraj Gedam wrote:
>>
>> Hi,
>>
>> I am writing a gRPC client for a third party gRPC Server. Certificates
>> issued to both Server and Client are SPIFFE based. These certificates don't
>> have Common Name, and has SPIFFE id in URI SAN field.
>> However, there is an issue while validating the server certificate which
>> leads to Handshake failure.
>>
>> *go version go1.12.1 linux/amd64*
>>
>>
>> CA had issued certificates for both client and server. My client code
>> performs below steps:
>>
>> 1. Populate tls.Config structure
>>tlsConf.Certificates = []tls.Certificate{clientcertificate}
>>tlsConf.RootCAs = caCertificatePool
>>tlsConf.InsecureSkipVerify = false
>>
>> 2. creds = credentials.NewTLS()
>>
>> 3. conn, err := ({}).DialContext(ctx, "tcp", "servername")
>>conn, _, err = creds.ClientHandshake(ctx, "servername", conn)
>>
>> ClientHandshake returns the err "*x509: certificate is not valid for any
>> names, but wanted to match *"
>>
>> This error comes from *https://golang.org/src/crypto/x509/verify.go
>> <https://golang.org/src/crypto/x509/verify.go>* file func (h
>> HostnameError) Error() string].
>> After little debugging, it looks like below sequence of events are
>> happening.
>> i) hostname is populated from addr (i.e. servername in this case) in
>> DialWithDialer [https://golang.org/pkg/crypto/tls/#DialWithDialer]. This
>> same hostname is populated as config.ServerName.
>> ii) config.ServerName is later used to populate DNSName in VerifyOptions.
>> iii) Since DNSName is non-empty, VerifyHostname() is called which returns
>> error!
>>
>> In short, when it is SPIFFE ceritificate, the hostname match should be
>> avoided and only URI SAN should be matched.
>> There is an option of InsecureSkipVerify which altogether skips hostname
>> and certificate verification.
>> I would like to know if there is an option of just skipping hostname
>> match, and continue with rest of the certificate verification (required for
>> mTLS).
>>
>> Thanks,
>> Dheeraj
>>
>> --
> You received this message because you are subscribed to a topic in the
> Google Groups "golang-nuts" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/golang-nuts/SX-MajM2ZUM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> golang-nuts+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
