Hi team, I am building tls for gRPC services/clients.
On server side, we use openssl SslAcceptor. setup like
let acceptor = SslAcceptor::new(...)
let stream = match acceptor.handshake(conn).await {
Ok(stream) => stream,
Err(e) => {
error!("Error during TLS handshake: {}", e);
continue;
}
};
On client side, we use tonic tls config (which is basing on rustls), setup like
let tls_config = tonic::transport::ClientTlsConfig::new().ca_certificate(server_root_ca_cert);
let channel = tonic::transport::Endpoint::new(metadata_addr.to_string())?
.tls_config(tls_config).unwrap()
.connect()
.await?;
====
tonic tls by default validates server cert and domain name, my questions are:
- should I set a
core.security.tls_enable
flag to allow non-tls setup? since I can't skip client side tls validation? - for client connecting to server, if I am using
https://127.0.0.1:8000
url, the connection failed with errorError during TLS handshake: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42
. If I am singhttps://localhost:8000
the connection succeeded. I am thinking this is due to the client side domain verification. I am not sure what's the RC for the error and what is the proper settings for tls client.