grpc / grpc-node

gRPC for Node.js
https://grpc.io
Apache License 2.0
4.48k stars 648 forks source link

Node.JS @grpc/grpc-js issue with disabling the verification of the server's TLS certificate #2811

Closed vinothsa4891 closed 2 weeks ago

vinothsa4891 commented 2 months ago

Problem description

We have a use case to access the gRPC service via Tunneling through a reverse proxy. The Proxy has a self-signed TLS certificate.

I see an option to disable the verification of the server's TLS certificate in client credentials. Check ServerIdentity: ()=> undefined. This is not working as I'm getting an error "Error: 14 UNAVAILABLE: No connection established. Last error: self-signed certificate in certificate chain"

const verifyOptionsFalse = { checkServerIdentity: () => undefined, };

const sslCreds = grpc.credentials.createSsl(
  null,
  null,
  null,
  verifyOptionsFalse 
);

this._grpcObj.<< serviceName >>( "<< proxy_dns >>:8081", sslCreds, )

This is working only if I pass the server ssl_certificate ( ex : servercert.crt ) or set up process.env.NODE_TLS_REJECT_UNAUTHORIZED='0'.

Also in Golang its working by just setting "InsecureSkipVerify:false" -
creds := credentials.NewTLS(&tls.Config{ InsecureSkipVerify: true, })

Environment OS name, version and architecture: Linux Debian Node version 18.19.0 Package name and version gRPC@1.11.1

@murgatroid99

vinothsa4891 commented 2 months ago

PR Created - https://github.com/grpc/grpc-node/pull/2812

Adding a fix to ignore self-signed certificates verification

File : grpc-node/packages/grpc-js/src/transport.ts.

connectionOptions = { ...connectionOptions, ...address, enableTrace: options['grpc-node.tls_enable_trace'] === 1, rejectUnauthorized: options['grpc-node.tls_reject_unauthorized'] ?? true, };

murgatroid99 commented 2 months ago

We already have an established way to make a client accept self-signed certificates: create a CA certificate file with the signing certificate information, and pass the contents of that file in the first argument of credentials.createSsl.

vinothsa4891 commented 2 months ago

@murgatroid99 Yes that works , But In our case, it is acceptable to disregard the certificate verification and the http2.connect works only with rejectUnauthorized as false for self signed certificates.

vinothsa4891 commented 1 month ago

@murgatroid99 I tried with verifyOptions checkServerIdentity: () => null, but with this, I was able to disable only the hostname/CN name verification. I'm still getting error for self signed certificate. I see only rejectUnauthorized: false to bypass the verification of self-signed certificates and allows the client to make SSL requests without validating the server’s SSL certificate

darnley commented 1 month ago

Hello, @murgatroid99, is there an estimate of when this fix will be released?

murgatroid99 commented 1 month ago

This is a new feature, so it will be out in the next minor release. I don't have a specific estimate for the release but it will likely be soon.

murgatroid99 commented 2 weeks ago

This has been released in version 1.12.x.