Disabling certificate check in gRPC TLS

2020-04-14 07:39发布

问题:

Currently, I have a ngnix server (on port 5001) behind which a gRPC server is running, nginx having TLS enabled. All gRPC clients need to send the request to nginx port which forwards to gRPC server running. Initially for testing had gRPC request using usePlaintext() and it all worked fine, but the end goal is to use TLS. The requirement here is (as this are internal applications), gRPC channel request need not pass certificate but do a "skip certificate" when creating the channel. After Googling around, I found examples on TLS but all of them does take .cert, .key file. Below is snippet which i tried and it failed at the server end couldn't validate the certificate

 (java code)              
ManagedChannel channel = NettyChannelBuilder.forAddress(<server IP address>, 5001).sslContext(GrpcSslContexts.forClient().trustManager
                                (new File(<.cert file>).build())
                        .build();

Doing some more research, i see Golang has InsecureSkipVerify() using which i can skip ceritifcate check (pls correct me if i am wrong)

tc := credentials.NewTLS(&tls.Config{
                InsecureSkipVerify: true,
            })

Now how do I accomplish the same in java?

回答1:

TLS with disabled certificate checking is of questionable usefulness because it can be trivially MITMed and so is not "supported" by gRPC. I highly recommend providing the client with proper root certificates to verify the server.

That said, you can go around gRPC's API to do this by passing Netty's InsecureTrustManagerFactory to SslContextBuilder.trustManager(TrustManagerFactory):

NettyChannelBuilder.forAddress("<server IP address>", 5001)
    .sslContext(GrpcSslContexts.forClient()
      .trustManager(InsecureTrustManagerFactory.INSTANCE)
      .build())
    .build();