I am a bit lost, being a total crypto-noob. We are using gRPC secured by TLS & client certificates in our shop. We used the python libraries both for client & server and want to now try using https://github.com/hyperium/tonic for some of the clients. However, when I try to connect using tonic I see these errors:
I am quite confident that all of our certificates are v1 (compared to being v3), both client and server. I frankly have no idea what that means, but running openssl seems to confirm this:
openssl x509 -text -noout -in cert_v1.der -inform DER
Certificate:
Data:
Version: 1 (0x0)
<rest of output cut>
I read up how to create v3 certs, but doing so is costly: rotating our root CA and server certificates, as well as all of our clients is a multi day endeavour for just running some experiments with Rust. And even then I am not sure if this would help. I also do not understand what the advantage is of v3 vs v1.
So after this long backstory, here are my questions: Why is v1 not supported? Is there some good reasons why it should not be used anymore, or did just nobody get around implementing support for it? What do you suggest is my best path forward here?
I am sorry that this is not really a bug report, more a mix of confusion and request for tutoring, I hope it finds kind consideration.
yanis-fourel
commented
1 year ago
I am a bit lost, being a total crypto-noob. We are using gRPC secured by TLS & client certificates in our shop. We used the python libraries both for client & server and want to now try using https://github.com/hyperium/tonic for some of the clients. However, when I try to connect using tonic I see these errors:
I am quite confident that all of our certificates are
v1(compared to beingv3), both client and server. I frankly have no idea what that means, but running openssl seems to confirm this:I seem to be gleaming from https://github.com/briansmith/webpki/blob/main/tests/cert_v1_unsupported.rs that V1 is not supported in this repo and that seems to be the root cause of my issue.
I read up how to create v3 certs, but doing so is costly: rotating our root CA and server certificates, as well as all of our clients is a multi day endeavour for just running some experiments with Rust. And even then I am not sure if this would help. I also do not understand what the advantage is of v3 vs v1.
So after this long backstory, here are my questions: Why is v1 not supported? Is there some good reasons why it should not be used anymore, or did just nobody get around implementing support for it? What do you suggest is my best path forward here?
I am sorry that this is not really a bug report, more a mix of confusion and request for tutoring, I hope it finds kind consideration.