Hi,
I am writing a gRPC client for a third party gRPC Server. Certificates
issued to both Server and Client are SPIFFE based. These certificates don't
have Common Name, and has SPIFFE id in URI SAN field.
However, there is an issue while validating the server certificate which
leads to Handshake failure.
*go version go1.12.1 linux/amd64*
CA had issued certificates for both client and server. My client code
performs below steps:
1. Populate tls.Config structure
tlsConf.Certificates = []tls.Certificate{clientcertificate}
tlsConf.RootCAs = caCertificatePool
tlsConf.InsecureSkipVerify = false
2. creds = credentials.NewTLS(&tlsConf)
3. conn, err := (&net.Dialer{}).DialContext(ctx, "tcp", "servername")
conn, _, err = creds.ClientHandshake(ctx, "servername", conn)
ClientHandshake returns the err "*x509: certificate is not valid for any
names, but wanted to match <servername>*"
This error comes from *https://golang.org/src/crypto/x509/verify.go
<https://golang.org/src/crypto/x509/verify.go>* file func (h HostnameError)
Error() string].
After little debugging, it looks like below sequence of events are
happening.
i) hostname is populated from addr (i.e. servername in this case) in
DialWithDialer [https://golang.org/pkg/crypto/tls/#DialWithDialer]. This
same hostname is populated as config.ServerName.
ii) config.ServerName is later used to populate DNSName in VerifyOptions.
iii) Since DNSName is non-empty, VerifyHostname() is called which returns
error!
In short, when it is SPIFFE ceritificate, the hostname match should be
avoided and only URI SAN should be matched.
There is an option of InsecureSkipVerify which altogether skips hostname
and certificate verification.
I would like to know if there is an option of just skipping hostname match,
and continue with rest of the certificate verification (required for mTLS).
Thanks,
Dheeraj
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
