如何为gRPC启用服务器端SSL?
gRPC的新function,无法找到有关如何在服务器端启用SSL的任何示例。 我使用openssl生成了一个密钥对,但它抱怨私钥无效。
D0608 16:18:31.390303 Grpc.Core.Internal.UnmanagedLibrary Attempting to load native library "...\grpc_csharp_ext.dll" D0608 16:18:31.424331 Grpc.Core.Internal.NativeExtension gRPC native library loaded successfully. E0608 16:18:43.307324 0 ..\src\core\lib\tsi\ssl_transport_security.c:644: Invalid private key. E0608 16:18:43.307824 0 ..\src\core\lib\security\security_connector.c:821: Handshaker factory creation failed with TSI_INVALID_ARGUMENT. E0608 16:18:43.307824 0 ..\src\core\ext\transport\chttp2\server\secure\server_secure_chttp2.c:188: Unable to create secure server with credentials of type Ssl. 这是我的代码
var keypair = new KeyCertificatePair( File.ReadAllText(@"root-ca.pem"), File.ReadAllText(@"ssl-private.key")); SslServerCredentials creds = new SslServerCredentials(new List() {keypair}); Server server = new Server { Services = { GrpcTest.BindService(new GrpcTestImpl()) }, Ports = { new ServerPort("127.0.0.1", Port, creds) } };
这就是我做的。
使用OpenSSL ,生成具有以下内容的证书:
@echo off set OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg echo Generate CA key: openssl genrsa -passout pass:1111 -des3 -out ca.key 4096 echo Generate CA certificate: openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=MyRootCA" echo Generate server key: openssl genrsa -passout pass:1111 -des3 -out server.key 4096 echo Generate server signing request: openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=%COMPUTERNAME%" echo Self-sign server certificate: openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt echo Remove passphrase from server key: openssl rsa -passin pass:1111 -in server.key -out server.key echo Generate client key openssl genrsa -passout pass:1111 -des3 -out client.key 4096 echo Generate client signing request: openssl req -passin pass:1111 -new -key client.key -out client.csr -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=%CLIENT-COMPUTERNAME%" echo Self-sign client certificate: openssl x509 -passin pass:1111 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt echo Remove passphrase from client key: openssl rsa -passin pass:1111 -in client.key -out client.key
将密码1111更改为您喜欢的任何内容
服务器:
var cacert = File.ReadAllText(@"ca.crt"); var servercert = File.ReadAllText(@"server.crt"); var serverkey = File.ReadAllText(@"server.key"); var keypair = new KeyCertificatePair(servercert, serverkey); var sslCredentials = new SslServerCredentials(new List() { keypair }, cacert, false); var server = new Server { Services = { GrpcTest.BindService(new GrpcTestImpl(writeToDisk)) }, Ports = { new ServerPort("0.0.0.0", 555, sslCredentials) } }; server.Start();
客户:
var cacert = File.ReadAllText(@"ca.crt"); var clientcert = File.ReadAllText(@"client.crt"); var clientkey = File.ReadAllText(@"client.key"); var ssl = new SslCredentials(cacert, new KeyCertificatePair(clientcert, clientkey)); channel = new Channel("localhost", 555, ssl); client = new GrpcTest.GrpcTestClient(channel);
如果“localhost”不起作用,请改用主机名。