Using TLS to connect

[s1lver]

Hi!

I'm trying to set up a connection using TLS for gRPC.

I set up the rr connection according to the configuration example: https://raw.githubusercontent.com/roadrunner-server/roadrunner/master/.rr.yaml

• Issued a root certificate.
• Issued a server certificate.
• Issued a client certificate signed by the issued root certificate.

grpc:
  ...
  tls:
    key: "server.key"
    cert: "server.crt"
    root_ca: "ca.crt"
    client_auth_type: require_and_verify_client_cert

On the client side:

$credentials = ChannelCredentials::createSsl(
    file_get_contents('ca.pem'), 
    file_get_contents('client.key'),
    file_get_contents('client.pem')
);

However, I am getting either handshake errors or a blank in response.

What is the difference between the options: request_client_cert, require_any_client_cert, verify_client_cert_if_given, require_and_verify_client_cert ?

How to set up TLS authorization correctly?

[rustatian]

Hey @s1lver, nice to meet you 👋🏻
These options describe a TLS client authentication policy (during the handshake). You also missed the no_client_cert option.

For example, if you set the client_auth_type: no_client_cert, RR will not request the certificates from the client to verify.
require_any_client_cert: indicates, that a client certificate should be requested during the handshake.
verify_client_cert_if_given: certificate should be requested, but the server doesn't require that.
require_and_verify_client_cert : this is the most strict option. The certificate should be requested during the handshake and that should be at least 1 valid certificate.

[s1lver]

Also, keep in mind that the root_ca certificate is used to validate your client certificates.

Yes, this is what I need. I want to validate the client certificate when establishing a connection

You also missed the no_client_cert option.

This is the clearest option, everything works with her)

Yeah, to verify certs, try to bundle all certs into the root_ca in the RR.

options key, cert are not needed then? Connections will be with different certificates, but signed by the same root

[rustatian]

You need the key and certificate to establish an SSL connection. Just try to bundle all certs/keys into the RR's root_ca and then use one of the options with validation.

[s1lver]

Tried in different ways, but I only get handshake errors.

E0427 12:37:22.918138400 43 ssl_transport_security.cc:1504] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
Status code: 14
Details: failed to connect to all addresses

Perhaps I'm not using certificates in the server setup at all.

grpc:
  ...
  tls:
    key: "server.key" #Is the key used here when creating a request to issue a server certificate?
    cert: "server.crt" #Is the issued server certificate being used here?
    root_ca: "ca.crt" #Is the root certificate used here signed by the server and all client certificates?
    client_auth_type: require_and_verify_client_cert

$credentials = ChannelCredentials::createSsl(
    file_get_contents('ca.pem'), //Is the root certificate used here that signed all certificates, both client and server?
    file_get_contents('client.key'), //Is the key used here when creating a request to issue a client certificate?
    file_get_contents('client.pem')  //Isthe client certificate signed by root is used?
);

[s1lver]

tracing a request using an option GRPC_VERBOSITY=debug GPRC_TRACE=tcp somehow doesn’t give much more information

[rustatian]

I'm not a PHP dev, so, can't help you with the PHP code. Try to add the file_get_contents('client.pem'), file_get_contents('client.key') and the file_get_contents('ca.pem') to the root_ca: "ca.crt". Just copy-and-past the content of these 3 certs to the ca.crt.

[s1lver]

However, I think there is some kind of error on the server.I verified the validity of the issued certificates. Checked curl does not issue warnings. Went through all possible options. I am getting the same error:

Status code: 14
Status details: failed to connect to all addresses

The roadrunner is silent

[INFO] RoadRunner server started; version: 2.10.2, buildtime: 2022-05-26T12:30:20+0000

and without tls

[INFO] RoadRunner server started; version: 2.10.2, buildtime: 2022-05-26T12:30:20+0000
method was called successfully {"method": "/ping.Echo/ping", "start": 1653667364235070100, "elapsed": 8831700}

[rustatian]

This is strange because we have test certs generated by the mkcert tool in the tests: https://github.com/roadrunner-server/rr-e2e-tests/tree/master/plugins/http/fixtures/test-certs to test the mTLS connection in various scenarios. It might be curl has some additional root certs; hard to say. I also asked some users about their mTLS experience with RR and have no complaints... However, if that is possible to reproduce the issue on mkcert certificates, you may describe the steps and fill the ticket, and I'll be happy to help you.

[rustatian]

Works correctly: https://github.com/s1lver/rr-grpc-tls-php
discord-chat