意外的NotValidForName与TLS的Rust主音

jq6vz3qz  于 2023-04-30  发布在  其他
关注(0)|答案(1)|浏览(147)

我正在使用Rust的tonic库来实现GRPC和TLS。
我得到以下错误

thread 'main' panicked at 'Failed to create request insight client: tonic::transport::Error(Transport,
   hyper::Error(Connect, Custom { kind: InvalidData, error: InvalidCertificate(NotValidForName) }))'

相同的证书适用于其他语言。
curl --cacert <path to cert> -vv <server>
显示预期的证书使用者名称。
ClientTlsConfigChannel是这样创建的:

let tls = ClientTlsConfig::new()
        .domain_name("server") // <server> matches the certificate subject name
        .ca_certificate(Certificate::from_pem(client_ca_data));
    let channel = Channel::from_shared(endpoint.to_string()) // endpoint is http://server:50051
                    .unwrap()
                    .tls_config(tls_config)?
                    .connect()
                    .await?;

目前尚不清楚下一步是什么。

cl25kdpy

cl25kdpy1#

我在使用rustls建立服务器和客户端之间的连接时遇到了同样的问题。显然,Rust在根据RFC规则处理此类错误时是严格的。请使用下面的bash脚本为您的案例重新生成密钥和自签名证书。生成的文件将存在于keys目录下。记住根据您的设置更改[alt_names]

#!/bin/sh
mkdir -p keys
cd keys/

# source: https://users.rust-lang.org/t/use-tokio-tungstenite-with-rustls-instead-of-native-tls-for-secure-websockets/90130

# Create unencrypted private key and a CSR (certificate signing request)
openssl req -newkey rsa:2048 -nodes -subj "/C=FI/CN=vahid" -keyout key.pem -out key.csr

# Create self-signed certificate (`cert.pem`) with the private key and CSR
openssl x509 -signkey key.pem -in key.csr -req -days 365 -out cert.pem

# Create a self-signed root CA
openssl req -x509 -sha256 -nodes -subj "/C=FI/CN=vahid" -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt

# Create file localhost.ext with the following content:
cat <<'EOF' >> localhost.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = server
IP.1 = <The Ip of the server!>
EOF

# Sign the CSR (`cert.pem`) with the root CA certificate and private key
# => this overwrites `cert.pem` because it gets signed
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in key.csr -out cert.pem -days 365 -CAcreateserial -extfile localhost.ext

请确保客户端在您的代码中有rootCA.crt。就像这样:

let tls = ClientTlsConfig::new()
        .domain_name("server") // <server> matches the certificate subject name
        .ca_certificate(Certificate::from_pem("keys/rootCA.crt"));

相关问题