GRPC ssl with self-signed cert
Solution 1
By default, the certificate presented (in either direction) will be validated in several ways:
- Hostname must match the subject Common Name in the certificate presented.
- the certificate must not be revoked, by using CRL or OCSP to validate
- the root CA certificate must be trusted, and no intermediaries can be revoked
It's likely that you are running into #3, since it's a self-signed certificate (the root is itself and not trusted) and you're already using localhost
to connect to it. You could either add this certificate to your trusted CA certificate store or you can programmatically create an insecure certificate validation for your SSL Context. For more details on the Kotlin (Java) side, you can consult the SO here: Disabling certificate check in gRPC TLS
Solution 2
As mentioned in Matt's answer, your CA certificate is not trusted by the device running your Flutter app since it's self-signed.
Now you have 2 options:
- Get a valid certificate from a certificate authority like Verisign, or
- Disable the certificate verification in your Flutter app itself
Here's how to implement option 2. You simply add a BadCertificateHandler
to the ChannelCredentials
instance like so:
final cert = await rootBundle.load('cert.pem')
final certAsList = cert.buffer
.asUint8List(
cert.offsetInBytes,
cert.lengthInBytes,
)
.map((uint8) => uint8.toInt())
.toList()
final channel = new ClientChannel(
'localhost',
port: 8443,
options: ChannelOptions(
credentials: ChannelCredentials.secure(
certificates: certAsList,
onBadCertificate: (cert, host) => true, // <--- **** The missing part ****
),
),
)
By having a handler that always returns true
, you're basically disabling the certificate verification completely. Now whether you really want to do that or not is up to you ;)
Max
Updated on December 12, 2022Comments
-
Max over 1 year
I'm trying to use a self-signed certificate with GRPC. I generated the certificate / key with:
openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
This gave me two files:
cert.pem
andkey.pem
.I have a Kotlin GRPC server that I setup like follows:
val ca = classLoader.getResourceAsStream("cert.pem") val key = classLoader.getResourceAsStream("key.pem") ServerBuilder .forPort(8443) .useTransportSecurity(ca, key) .addService(...) .build() .start()
This appears to start successfully. I have a flutter client that I setup the following way:
final cert = await rootBundle.load('cert.pem') final certAsList = cert.buffer .asUint8List( cert.offsetInBytes, cert.lengthInBytes, ) .map((uint8) => uint8.toInt()) .toList() final channel = new ClientChannel( 'localhost', port: 8443, options: ChannelOptions( credentials: ChannelCredentials.secure(certificates: certAsList), ), )
However, using this channel to connect to my service gives the following error:
gRPC Error (14, Error connecting: HandshakeException: Handshake error in client (OS Error: CERTIFICATE_VERIFY_FAILED: ok(handshake.cc:352)))
What is wrong with this setup?