gRPC SSL没有主题替代名称

时间:2019-02-07 14:46:14

标签: ssl ssl-certificate grpc grpc-java

如何在gRPC中禁用hostnameverfifier以避免出现以下异常?

java.security.cert.CertificateException: No subject alternative names present

2 个答案:

答案 0 :(得分:1)

在主机名不匹配的情况下,建议使用测试证书的方法是调用ManagedChannelBuilder.overrideAuthority("test-hostname")。这在功能上类似于将测试主机名添加到/etc/hosts。这样,您可以使用forAddress() / forTarget()选择不同的IP / DNS名称,而不会禁用安全性。

但是看来您的证书还是有点破损。必须提供使用者备用名称;使用该证书的“主题”已有数十年之久了。

您可能还对使用gRPC's test certificates感兴趣。我们提供TlsTesting来加载它们。

server = ServerBuilder.forPort(0)
    // Use test cert on server-side
    .useTransportSecurity(
        TlsTesting.loadCert("server1.pem"),
        TlsTesting.loadCert("server1.key"))
    // ...
    .build().start();

channel = NettyChannelBuilder
    .forAddress("localhost", server.getPort())
    // Trust test CA on client-side
    .sslContext(
        GrpcSslContexts.forClient()
            .trustManager(TlsTesting.loadCert("ca.pem"))
            .build())
    // Change hostname to match certificate
    .overrideAuthority("foo.test.google.fr")
    .build();

答案 1 :(得分:0)

只需详细说明@Eric Anderson的答案。他指出,在gRPC的测试证书中,有两种类型的* .cnf文件用于生成客户端和服务器证书

1。生成客户端证书:openssl.cnf

2。生成服务器证书:server1-openssl.cnf

在两个文件的最底部,您将找到需要在其中添加客户端和服务器的匹配条目的主机名

例如,如果您要在“本地主机”上对客户端和服务器解析进行本地测试,那么您将需要openssl.cnf和server1-openssl.cnf都具有

[alt_names]
DNS.1 = localhost

此后,您将需要重新生成证书 这是一个基于grpc-java info here

的简单脚本
#!/bin/bash
SERVER_CN=localhost
CLIENT_CN=localhost # Used when doing mutual TLS
TLS_KEY_PSSWD=somepsswd
echo "When prompted for cert information, everything is default except the common name which is set to localhost"
echo Generate CA key:
openssl genrsa -passout pass:TLS_KEY_PSSWD -des3 -out ca.key 4096
echo Generate CA:
openssl req -passin pass:TLS_KEY_PSSWD -x509 -new -nodes -key ca.key -out ca.pem -config conf/ca-openssl.cnf -days 3650 -extensions v3_req -subj "/CN=${SERVER_CN}"
echo  "Now that we’re a CA on all our devices, we can sign certificates for any new dev sites that need HTTPS"
echo Generate client key:
openssl genrsa  -out client.key.rsa 1024
openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
rm client.key.rsa
echo Generate client signing request:
openssl req -passin pass:TLS_KEY_PSSWD  -new -key client.key -out client.csr -subj "/CN=${CLIENT_CN}"
echo Generate client cert:
openssl ca -passin pass:TLS_KEY_PSSWD  -in client.csr -out client.pem -keyfile ca.key -cert ca.pem -verbose -config conf/openssl.cnf -days 3650 -updatedb
openssl x509 -in client.pem -out client.pem -outform PEM
echo Generate server key:
openssl genrsa -passout pass:TLS_KEY_PSSWD  -out server1.key.rsa 1024
openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
rm server1.key.rsa
echo Generate server signing request:
openssl req -passin pass:TLS_KEY_PSSWD -new -key server1.key -out server1.csr -config conf/server1-openssl.cnf  -subj "/CN=${CLIENT_CN}"
echo Generate server cert:
openssl ca -passin pass:TLS_KEY_PSSWD  -in server1.csr -out server1.pem -keyfile ca.key -cert ca.pem -verbose -config conf/server1-openssl.cnf -days 3650 -extensions v3_req -updatedb
openssl x509 -in server1.pem -out server1.pem -outform PEM