Go gRPC是否使用自签名客户端证书支持双向TLS?我正在尝试在Go gRPC上使用双向TLS,并且我使用src/crypto/tls/generate_cert.go为服务器和客户端生成了自签名证书,但是客户端无法与服务器连接,说明它是一个不良证书。
这是相关的服务器代码:
// load server cert/key, cacert
srvcert, err := tls.LoadX509KeyPair("server.pem", "key.pem")
if err != nil {
log.Fatalf("SERVER: unable to read server key pair: %v", err)
}
pem, err := ioutil.ReadFile("../client/client.pem")
if err != nil {
log.Fatalf("SERVER: unable to read client pem: %v", err)
}
certPool := x509.NewCertPool()
if ok := certPool.AppendCertsFromPEM(pem); !ok {
log.Fatalf("SERVER: unable to add client cert to pool: %v", err)
}
ta := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{srvcert},
ClientCAs: certPool,
ClientAuth: tls.RequireAndVerifyClientCert,
})
lis, err := net.Listen("tcp", ":51150")
if err != nil {
log.Fatalf("SERVER: unable to listen: %v", err)
}
s := grpc.NewServer(grpc.Creds(ta))
pb.RegisterExpoServer(s, &server{})
if err := s.Serve(lis); err != nil {
log.Fatalf("SERVER: failed to serve: %v", err)
}
以及相关的客户代码:
// load client cert/key, cacert
clcert, err := tls.LoadX509KeyPair("client.pem", "key.pem")
if err != nil {
log.Fatalf("CLIENT: unable to load client pem: %v", err)
}
srvcert, err := ioutil.ReadFile("../server/server.pem")
if err != nil {
log.Fatalf("CLIENT: unable to load server cert: %v", err)
}
caCertPool := x509.NewCertPool()
if ok := caCertPool.AppendCertsFromPEM(srvcert); !ok {
log.Fatalf("CLIENT: unable to load server cert pool: %v", err)
}
ta := credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{clcert},
RootCAs: caCertPool,
})
conn, err := grpc.Dial("localhost:51150", grpc.WithTransportCredentials(ta))
if err != nil {
log.Fatalf("CLIENT: unable to dial: %v", err)
}
c := pb.NewExpoClient(conn)
客户端可以拨号,但是尝试在客户端上调用RPC时出现错误:
2018/07/28 19:32:18 CLIENT: unable to checkin: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate"