Have you tried another gRPC language with same certs/keys to isolate this
issue to gRPC-Go implementation? You can find examples in other languages
here. https://grpc.io/docs/guides/auth/
On Wednesday, April 22, 2020 at 8:13:54 AM UTC-7 edward...@lacity.org wrote:
> -- Golang app server TLS connections to mobile clients --
>
> Everything is working except the FULL CHAIN of trust is not being sent.
>
> I created a pfx file (full identity file) converted it to PEM, loaded it
> into a Go app (code below) and it works great except the INTERMEDIATE
> certificates are not being sent as part of the chain of trust.
>
> I've tried all the examples I can find, but none have resolved my issue.
>
> I'm also using online TLS checker tools that mostly check web servers, I'm
> not sure if better tools exist for testing pure gRPC connections besides
> other one-off gRPC apps.
>
> Again, this is a pure gRPC, non-web related connection. Below is a
> snippet of code that is 99% working with comodo TLS certs, I'm concerned
> that my issue may be with the CertPool and how it gets passed to
> tls.Config. I'm following the examples but something is not working; also,
> it's not entirely obvious whether an event hook is required to fetch and
> unwind the CertPool or if the TLS libs can unwind everything in the proper
> order: host_key, [INTERMEDIATES], RootCA_key; I have to assume so.
>
>
> // Load the certificates from disk
> //
> certificate, err := tls.LoadX509KeyPair(crt, key)
> if err != nil {
> return fmt.Errorf("could not load server key pair: %s", err)
> } else {
> log.Println("loaded key pair")
> }
>
> // Read FullChain file from disk
> //
> CACert, err := ioutil.ReadFile(ca)
> if err != nil {
> return fmt.Errorf("could not read CACert certificate: %s", err)
> } else {
> log.Println("Found Cert Bundle")
> }
>
> // Create a certificate pool to hold certificates from authorities
> //
> certPool, _ := x509.SystemCertPool()
>
> // Append the client certificates from the CA
> //
> if ok := certPool.AppendCertsFromPEM(CACert); !ok {
> log.Println("----- Error: Not able to Append Certs to CertPool -----")
> } else {
> log.Println("Loaded PEM certs")
> }
>
> // TLS configuration object
> //
> tlsConfig := &tls.Config{
>
> RootCAs: certPool,
>
> Certificates: []tls.Certificate{certificate},
>
> CipherSuites: []uint16{
> tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
> tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
> tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
> tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
> },
>
> PreferServerCipherSuites: true,
>
> // Forbid all TLS below 1.2
> MinVersion: tls.VersionTLS12,
> }
>
> s := grpc.NewServer(
> grpc.Creds(credentials.NewTLS(tlsConfig)),
> grpc.KeepaliveParams(
> keepalive.ServerParameters{
> Time: (time.Duration((300) * time.Second)),
> Timeout: (time.Duration(10) * time.Second),
> },
> ),
> grpc.KeepaliveEnforcementPolicy(
> keepalive.EnforcementPolicy{
> MinTime: (time.Duration((300) * time.Second)),
> PermitWithoutStream: true,
> },
> ),
> )
>
> [... start listening boilerplate...]
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/26ae91c2-d639-48bd-8ad3-9f8dd2491410%40googlegroups.com.
