如何在gRPC中禁用hostnameverfifier以避免出现以下异常?
java.security.cert.CertificateException: No subject alternative names present
答案 0 :(得分:1)
在主机名不匹配的情况下,建议使用测试证书的方法是调用ManagedChannelBuilder.overrideAuthority("test-hostname")
。这在功能上类似于将测试主机名添加到/etc/hosts
。这样,您可以使用forAddress()
/ forTarget()
选择不同的IP / DNS名称,而不会禁用安全性。
但是看来您的证书还是有点破损。必须提供使用者备用名称;使用该证书的“主题”已有数十年之久了。
您可能还对使用gRPC's test certificates感兴趣。我们提供TlsTesting
来加载它们。
server = ServerBuilder.forPort(0)
// Use test cert on server-side
.useTransportSecurity(
TlsTesting.loadCert("server1.pem"),
TlsTesting.loadCert("server1.key"))
// ...
.build().start();
channel = NettyChannelBuilder
.forAddress("localhost", server.getPort())
// Trust test CA on client-side
.sslContext(
GrpcSslContexts.forClient()
.trustManager(TlsTesting.loadCert("ca.pem"))
.build())
// Change hostname to match certificate
.overrideAuthority("foo.test.google.fr")
.build();
答案 1 :(得分:0)
只需详细说明@Eric Anderson的答案。他指出,在gRPC的测试证书中,有两种类型的* .cnf文件用于生成客户端和服务器证书
1。生成客户端证书:openssl.cnf
2。生成服务器证书:server1-openssl.cnf
在两个文件的最底部,您将找到需要在其中添加客户端和服务器的匹配条目的主机名
例如,如果您要在“本地主机”上对客户端和服务器解析进行本地测试,那么您将需要openssl.cnf和server1-openssl.cnf都具有
[alt_names]
DNS.1 = localhost
此后,您将需要重新生成证书 这是一个基于grpc-java info here
的简单脚本#!/bin/bash
SERVER_CN=localhost
CLIENT_CN=localhost # Used when doing mutual TLS
TLS_KEY_PSSWD=somepsswd
echo "When prompted for cert information, everything is default except the common name which is set to localhost"
echo Generate CA key:
openssl genrsa -passout pass:TLS_KEY_PSSWD -des3 -out ca.key 4096
echo Generate CA:
openssl req -passin pass:TLS_KEY_PSSWD -x509 -new -nodes -key ca.key -out ca.pem -config conf/ca-openssl.cnf -days 3650 -extensions v3_req -subj "/CN=${SERVER_CN}"
echo "Now that we’re a CA on all our devices, we can sign certificates for any new dev sites that need HTTPS"
echo Generate client key:
openssl genrsa -out client.key.rsa 1024
openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
rm client.key.rsa
echo Generate client signing request:
openssl req -passin pass:TLS_KEY_PSSWD -new -key client.key -out client.csr -subj "/CN=${CLIENT_CN}"
echo Generate client cert:
openssl ca -passin pass:TLS_KEY_PSSWD -in client.csr -out client.pem -keyfile ca.key -cert ca.pem -verbose -config conf/openssl.cnf -days 3650 -updatedb
openssl x509 -in client.pem -out client.pem -outform PEM
echo Generate server key:
openssl genrsa -passout pass:TLS_KEY_PSSWD -out server1.key.rsa 1024
openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
rm server1.key.rsa
echo Generate server signing request:
openssl req -passin pass:TLS_KEY_PSSWD -new -key server1.key -out server1.csr -config conf/server1-openssl.cnf -subj "/CN=${CLIENT_CN}"
echo Generate server cert:
openssl ca -passin pass:TLS_KEY_PSSWD -in server1.csr -out server1.pem -keyfile ca.key -cert ca.pem -verbose -config conf/server1-openssl.cnf -days 3650 -extensions v3_req -updatedb
openssl x509 -in server1.pem -out server1.pem -outform PEM