Grpc-web: proxy: certificate validation of backend service not working

Created on 11 Jan 2018  路  4Comments  路  Source: improbable-eng/grpc-web

If you specify a CA certificate to use in the proxy to verify the identity of the backend service, the certificate will en up as entry in tlsConfig.ClientCAs but the godocs are stating that:

// ClientCAs defines the set of root certificate authorities
// that servers use if required to verify a client certificate
// by the policy in ClientAuth.

So the CA-certificate should be installed there when preparing a server side tlsConfig. When preparing a client side config it should be placed in RootCAs instead (so the fix is trivial).

I think the behaviour has become more strictly with newer go-versions. I think it used to work.

good-first-issue help-wanted kinbug

Most helpful comment

currently I'm getting a transport: authentication handshake failed: x509: certificate signed by unknown authority

All 4 comments

currently I'm getting a transport: authentication handshake failed: x509: certificate signed by unknown authority

I'm experiencing this same issue. For now I'm going to have to set tls_noverify, which is not optimal.

This seems like a bug with a fairly straightforward fix (changing the set value). Can I help you get a fix for this merged @jonahbron?

Of course @johanbrandhorst , I just submitted a PR that assigns to the correct property. Completed based on @trusch's comments and the documentation.

https://golang.org/pkg/crypto/tls/#Config

Was this page helpful?
0 / 5 - 0 ratings

Related issues

jonahbron picture jonahbron  路  28Comments

johanbrandhorst picture johanbrandhorst  路  4Comments

ktr0731 picture ktr0731  路  13Comments

gertcuykens picture gertcuykens  路  15Comments

osechet picture osechet  路  8Comments