RUST tonic tls client settings on localhost

Hi team, I am building tls for gRPC services/clients.

On server side, we use openssl SslAcceptor. setup like

let acceptor = SslAcceptor::new(...)
let stream = match acceptor.handshake(conn).await {
    Ok(stream) => stream,
    Err(e) => {
        error!("Error during TLS handshake: {}", e);
        continue;
    }
};

On client side, we use tonic tls config (which is basing on rustls), setup like

let tls_config = tonic::transport::ClientTlsConfig::new().ca_certificate(server_root_ca_cert);
let channel = tonic::transport::Endpoint::new(metadata_addr.to_string())?
    .tls_config(tls_config).unwrap()
    .connect()
    .await?; 

====

tonic tls by default validates server cert and domain name, my questions are:

  1. should I set a core.security.tls_enable flag to allow non-tls setup? since I can't skip client side tls validation?
  2. for client connecting to server, if I am using https://127.0.0.1:8000 url, the connection failed with error Error during TLS handshake: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42. If I am sing https://localhost:8000 the connection succeeded. I am thinking this is due to the client side domain verification. I am not sure what's the RC for the error and what is the proper settings for tls client.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.