Why do I get errors when using gRPC with certs connecting with an IP Address?

0
votes

I'm using .Net (C#) gRPC to build sample Client-Server test applications. I'm generating SSL certificates in code using the DiDiSoft library. The certificates are generated using the "server" machine name.

When connect the server and client apps using the machine name, the handshaking works correctly. If I use an IP Address, it does not. In my reading, it's not recommended to use IPAddresses to generate certs. Am I limited to using the machine name when setting up gRPC connections using SSL Certs?

Sample code for setting up certificates:

var serverKeypair = rsa.GenerateRsaKeyPair(KeyLength.Length4096);
serverKeypair.Private.Save(Path.Combine(certsPath, "server.key"));
X509Name serverCertificateProperties = new X509Name()
{
    C = "US",
    ST = "VA",
    O = "SomeName",
    OU = "gRPCAPI",
    CN = "MACHINE-NAME",
};
var serverCert = Certificate.CreateCertificate(serverKeypair.Public, 
                        newca.CACertificate.SubjectPublicKey, 
                        newca.CAPrivateKey, 
                        serverCertificateProperties, 
                        newca.CAProperties, 
                        null, 
                        "01", 
                        newca.CACertificate.SerialNumber, 
                        true, 
                        new[] { KeyUsages.DigitalSignature }, 
                        DateTime.Now, DateTime.Now.AddYears(1));
serverCert.Save(Path.Combine(certsPath, "server.crt"));

Code snippet for starting up gRPC Server:

// "Server" App
ServerServiceDefinition serverDef = new ServerDefinitionFoo();
var sslCredentials = GetCerts();
var server = new Server()
{
    Services = { serverDef },
    Ports = { new ServerPort("192.168.1.", port, sslCredentials) }
};

server.Start();

Code snippet for setting up gRPC Client:

// Client App
static SslCredentials GetSslCredentials()
{
    var certsFolder = Path.Combine(Environment.CurrentDirectory, "Certs");
    var cacert = File.ReadAllText(Path.Combine(certsFolder, "newca.crt"));
    var cert = File.ReadAllText(Path.Combine(certsFolder, "client.crt"));
    var key = File.ReadAllText(Path.Combine(certsFolder, "client.key"));

    var keyPair = new KeyCertificatePair(cert, key);
    var Creds = new SslCredentials(cacert, keyPair);
    return Creds;
}

var sslCredentials = GetSslCredentials();
var channel = new Channel("MACHINE-NAME:30052", sslCredentials);
var apiProvider = new UtilitiesApi(new UtilitiesService.UtilitiesServiceClient(channel));
var retVal = apiProvider.SomeServiceCall("Test Data");

The above scenario works successfully.

If I change the following code snippet:

var channel = new Channel("192.168.1.9:30052", sslCredentials);

I get the following exception on the client:

Grpc.Core.RpcException: Status(StatusCode="Unavailable", Detail="failed to connect to all addresses", DebugException="Grpc.Core.Internal.CoreErrorDetailException: {"created":"@1605192569.522000000", "description":"Failed to pick subchannel","file"

I get the following error message (through logging) on the server console.

E1112 09:49:29.510018 0 T:\src\github\grpc\workspace_csharp_ext_windows_x64\src\core\tsi\ssl_transport_security.cc:1807: No match found for server name: 192.168.1.9.

Should I be able to use IP Address when initating the client-server handshake?

Thanks, JohnB

1
.netsslgrpc

1 Answers

1
votes

This is working as intended and your certificates are just configured incorrectly. The problem you're having is as simple as you're trying to create a TLS connection to a server, and the server has a different name than expected by the client. Therefore, TLS connection fails - this is to avoid a man-in-the middle attack.

Anytime a client want to create a TLS connection, they use the name used in the URL (in your case a machine name or IP address) and check it against the canonical name in the certificate provided by the server. If they don't match, it is assumed the client talks to a fake server and connection is refused.

Imagine a situation where you want to talk to server foo.com, but after connecting , the server the cannot present a certificate the proves it's a genuine foo.com backend (based on the trust roots you provided). Of course the right action is to drop to connecting rather than start sending potentially sensitive data (e.g. authentication info) to a wrong server.