Disabling certificate check in gRPC TLS - McMap

About

Disabling certificate check in gRPC TLS

Asked 27/9, 2018 at 15:57 Answered 27/9, 2018 at 16:27

ssl ssl-certificate netty tls1.2 grpc

M

1

6

Currently, I have a ngnix server (on port 5001) behind which a gRPC server is running, nginx having TLS enabled. All gRPC clients need to send the request to nginx port which forwards to gRPC server running. Initially for testing had gRPC request using usePlaintext() and it all worked fine, but the end goal is to use TLS. The requirement here is (as this are internal applications), gRPC channel request need not pass certificate but do a "skip certificate" when creating the channel. After Googling around, I found examples on TLS but all of them does take .cert, .key file. Below is snippet which i tried and it failed at the server end couldn't validate the certificate

 (java code)              
ManagedChannel channel = NettyChannelBuilder.forAddress(<server IP address>, 5001).sslContext(GrpcSslContexts.forClient().trustManager
                                (new File(<.cert file>).build())
                        .build();

Doing some more research, i see Golang has InsecureSkipVerify() using which i can skip ceritifcate check (pls correct me if i am wrong)

tc := credentials.NewTLS(&tls.Config{
                InsecureSkipVerify: true,
            })

Now how do I accomplish the same in java?

Mishap answered 27/9, 2018 at 15:57 Comment(0)

M

15

TLS with disabled certificate checking is of questionable usefulness because it can be trivially MITMed and so is not "supported" by gRPC. I highly recommend providing the client with proper root certificates to verify the server.

That said, you can go around gRPC's API to do this by passing Netty's InsecureTrustManagerFactory to SslContextBuilder.trustManager(TrustManagerFactory):

NettyChannelBuilder.forAddress("<server IP address>", 5001)
    .sslContext(GrpcSslContexts.forClient()
      .trustManager(InsecureTrustManagerFactory.INSTANCE)
      .build())
    .build();

Monophonic answered 27/9, 2018 at 16:27 Comment(5)

Thanks for the reply. When I try to use InsecureTrustManagerFactory() it says private access so does this mean there is some getter() method for this? Is this singleton even then shouldn't it allow me to create a new object? Also i read some blogs which says we cannot use SslContextBuilder() but only use GrpcSslContexts(), in such cases does this support InsecureTrustManagerFactory()? I am using the following import io.netty.handler.ssl.util.InsecureTrustManagerFactory; is this correct? Sorry if it's very basic. – Mishap 28/9, 2018 at 1:35

Was able to figure it out. Did the following InsecureTrustManagerFactory.INSTANCE. With this change, it works. Thanks Eric for pointing about InsecureTrustManagerFactory. – Mishap 28/9, 2018 at 5:26

Is there any such way for Grpc node library. I am continuously getting : E0127 14:52:05.495000000 9988 ssl_transport_security.cc:1245] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED. – Factotum 27/1, 2020 at 20:59

@SukhvirSingh do u have the solution for nodejs? i have the same problem going through nginx as well, even after setting server.pem and server.key – Knotting 11/6, 2020 at 15:28

@Eric Anderson do you know how to provide to Java io.grpc a new certificate? – Negligee 3/6, 2022 at 10:53

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.