使用自签名客户端证书进行grpc tls相互身份验证不良证书

Does Go gRPC support mutual TLS using self-signed client certs? I'm trying to get mutual TLS working on Go gRPC, and I generated self-signed certs for the server and client using src/crypto/tls/generate_cert.go, and the client is failing to connect with the server stating it's a bad cert.

Here's the relevant server code:

// load server cert/key, cacert
srvcert, err := tls.LoadX509KeyPair("server.pem", "key.pem")
if err != nil {
    log.Fatalf("SERVER: unable to read server key pair: %v", err)
}
pem, err := ioutil.ReadFile("../client/client.pem")
if err != nil {
    log.Fatalf("SERVER: unable to read client pem: %v", err)
}
certPool := x509.NewCertPool()
if ok := certPool.AppendCertsFromPEM(pem); !ok {
    log.Fatalf("SERVER: unable to add client cert to pool: %v", err)
}
ta := credentials.NewTLS(&tls.Config{
    Certificates: []tls.Certificate{srvcert},
    ClientCAs:    certPool,
    ClientAuth:   tls.RequireAndVerifyClientCert,
})

lis, err := net.Listen("tcp", ":51150")
if err != nil {
    log.Fatalf("SERVER: unable to listen: %v", err)
}
s := grpc.NewServer(grpc.Creds(ta))
pb.RegisterExpoServer(s, &server{})
if err := s.Serve(lis); err != nil {
    log.Fatalf("SERVER: failed to serve: %v", err)
}

And the relevant client code:

// load client cert/key, cacert
clcert, err := tls.LoadX509KeyPair("client.pem", "key.pem")
if err != nil {
    log.Fatalf("CLIENT: unable to load client pem: %v", err)
}
srvcert, err := ioutil.ReadFile("../server/server.pem")
if err != nil {
    log.Fatalf("CLIENT: unable to load server cert: %v", err)
}
caCertPool := x509.NewCertPool()
if ok := caCertPool.AppendCertsFromPEM(srvcert); !ok {
    log.Fatalf("CLIENT: unable to load server cert pool: %v", err)
}

ta := credentials.NewTLS(&tls.Config{
    Certificates: []tls.Certificate{clcert},
    RootCAs:      caCertPool,
})
conn, err := grpc.Dial("localhost:51150", grpc.WithTransportCredentials(ta))
if err != nil {
    log.Fatalf("CLIENT: unable to dial: %v", err)
}

c := pb.NewExpoClient(conn)

The client is able to dial okay, but the error comes when trying to call an RPC on the client:

2018/07/28 19:32:18 CLIENT: unable to checkin: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate"

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

报告相同问题？

关注问题

在Go gRPC处理程序中从客户端证书获取主题DN
2017-11-09 06:58

回答 1 已采纳 You can use peer.Peer from ctx context.Context for access to the OID registry in x509.Certificate.
GRPC Golang服务器和NodeJS客户端。 TLS连接失败 node.js
2019-02-27 02:15

回答 1 已采纳 So the issue was that the certificate couldn't hold IP address as the hostname. It should have a n
gRPC客户端流式流控制如何进行？
2019-08-06 11:46

回答 1 已采纳 gRPC flow control is based on http2 flow control: https://http2.github.io/http2-spec/#FlowControl
Fabric系列 - TLS身份验证
2023-03-21 21:50

搬砖魁首的博客所有组织(orderer组织与加入该channel的peer组织)的根证书都会被写入channel的创世块（确切的说是channel配置块）中（没配置开启TLS也会写入）, 每个组织的锚节点地址也会被写入。故要增加、删除组织，修改锚节点...
客户端上的gRPC上下文
2017-12-01 18:34

回答 1 已采纳 I finally found my way: https://github.com/grpc/grpc-go/blob/master/Documentation/grpc-metadata.md
使用Golang在Nginx后面运行的GRPC服务的TLS nginx ssl
2018-11-30 08:30

回答 1 已采纳 Just posting what I ended up doing for my setup. Nginx does support GRPC with version 1.3.10+ but
使用gRPC在容器之间进行通信 docker
2017-06-20 01:11

回答 1 已采纳 You need to include the hostname in the dial function, otherwise it's looking at localhost which i
24. 【gRPC系列学习】gRPC安全认证-TLS认证
2022-12-24 10:09

明神特烦恼的博客 gRPC 安全认证-TLS认证
如何为gRPC TLS连接设置docker-compose容器？
2018-02-14 03:21

回答 1 已采纳 You are missing grpc.Creads(...) We are use this code: package main import( "crypto/tls"
试图了解Golang中gRPC客户端中通道的使用
2018-03-20 19:59

回答 1 已采纳 Channel waitc used to make main thread wait for goroutine to finish receiving from server and grac
如何响应多个gRPC客户端？
2019-09-17 21:00

回答 2 已采纳 There are two ways to read this question. One way is to read it as the auth problem as answered be
gRPC 的 SSL/TLS 加密认证
2023-02-16 21:37

물の韜的博客关于 gRPC 的 SSL/TLS 加密认证介绍！
如何正确设置gRPC客户端-服务器
2018-02-08 07:11

回答 2 已采纳 Is the server listening to that port? // Most linux lsof -i :3001 // OSX lsof -iTCP -sTCP:LISTE
gRPC — SSL/TLS单向认证、双向认证、Token认证
2024-03-09 16:28

江水灬之畔的博客传输层安全性协议（Transport Layer Security，缩写作 TLS ），其前身安全套接层（Secure...SSL/TLS 协议通过 X.509 证书的数字文档将网站的公司实体信息绑定到加密密钥，每一个密钥对都有一个私有密钥和一个公有密钥。
grpc介绍（二）——认证方式
2022-10-04 16:10

却道天凉_好个秋的博客 grpc认证方式介绍
没有解决我的问题, 去提问

悬赏问题

¥15 Vue3 大型图片数据拖动排序
¥15 划分vlan后不通了
¥15 GDI处理通道视频时总是带有白色锯齿
¥20 用雷电模拟器安装百达屋apk一直闪退
¥15 算能科技20240506咨询（拒绝大模型回答）
¥15 自适应 AR 模型参数估计Matlab程序
¥100 角动量包络面如何用MATLAB绘制
¥15 merge函数占用内存过大
¥15 使用EMD去噪处理RML2016数据集时候的原理
¥15 神经网络预测均方误差很小但是图像上看着差别太大

码龄粉丝数原力等级 --

使用自签名客户端证书进行grpc tls相互身份验证不良证书

0条回答默认最新

悬赏问题

使用自签名客户端证书进行grpc tls相互身份验证不良证书

0条回答 默认 最新

悬赏问题

0条回答默认最新