Closed vinothsa4891 closed 2 weeks ago
PR Created - https://github.com/grpc/grpc-node/pull/2812
Adding a fix to ignore self-signed certificates verification
File : grpc-node/packages/grpc-js/src/transport.ts.
connectionOptions = { ...connectionOptions, ...address, enableTrace: options['grpc-node.tls_enable_trace'] === 1, rejectUnauthorized: options['grpc-node.tls_reject_unauthorized'] ?? true, };
We already have an established way to make a client accept self-signed certificates: create a CA certificate file with the signing certificate information, and pass the contents of that file in the first argument of credentials.createSsl
.
@murgatroid99 Yes that works , But In our case, it is acceptable to disregard the certificate verification and the http2.connect works only with rejectUnauthorized as false for self signed certificates.
@murgatroid99 I tried with verifyOptions checkServerIdentity: () => null, but with this, I was able to disable only the hostname/CN name verification. I'm still getting error for self signed certificate. I see only rejectUnauthorized: false to bypass the verification of self-signed certificates and allows the client to make SSL requests without validating the server’s SSL certificate
Hello, @murgatroid99, is there an estimate of when this fix will be released?
This is a new feature, so it will be out in the next minor release. I don't have a specific estimate for the release but it will likely be soon.
This has been released in version 1.12.x.
Problem description
We have a use case to access the gRPC service via Tunneling through a reverse proxy. The Proxy has a self-signed TLS certificate.
I see an option to disable the verification of the server's TLS certificate in client credentials. Check ServerIdentity: ()=> undefined. This is not working as I'm getting an error "Error: 14 UNAVAILABLE: No connection established. Last error: self-signed certificate in certificate chain"
const verifyOptionsFalse = { checkServerIdentity: () => undefined, };
this._grpcObj.<< serviceName >>( "<< proxy_dns >>:8081", sslCreds, )
This is working only if I pass the server ssl_certificate ( ex : servercert.crt ) or set up process.env.NODE_TLS_REJECT_UNAUTHORIZED='0'.
Also in Golang its working by just setting "InsecureSkipVerify:false" -
creds := credentials.NewTLS(&tls.Config{ InsecureSkipVerify: true, })
Environment OS name, version and architecture: Linux Debian Node version 18.19.0 Package name and version gRPC@1.11.1
@murgatroid99