最近在golang 1.15+版本上,用 gRPC通過TLS實現資料傳輸加密時,遇到了一個問題

yangliang發表於2021-07-16
GolangRPCTLS加密

用 gRPC通過TLS實現資料傳輸加密時,遇到了一個問題:

use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

解決方案

  • 建立 ca.conf
[ req ]

default_bits = 4096

distinguished_name = req_distinguished_name

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = CN

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = JiangSu

localityName = Locality Name (eg, city)

localityName_default = NanJing

organizationName = Organization Name (eg, company)

organizationName_default = Sheld

commonName = Common Name (e.g. server FQDN or YOUR name)

commonName_max = 64

commonName_default = hello
  • 生成ca祕鑰,得到ca.key
    openssl genrsa -out ca.key 4096
  • 生成ca證照籤發請求,得到 ca.csr (一直回車)
    openssl req \
-new \
-sha256 \
-out ca.csr \
-key ca.key \
-config ca.conf
  • 生成ca根證照,得到ca.crt
    openssl x509 \
  -req \
  -days 3650 \
  -in ca.csr \
  -signkey ca.key \
  -out ca.crt
  • 建立 server.conf
[ req ]

default_bits = 2048

distinguished_name = req_distinguished_name

req_extensions = req_ext

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = CN

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = JiangSu

localityName = Locality Name (eg, city)

localityName_default = NanJing

organizationName = Organization Name (eg, company)

organizationName_default = Sheld

commonName = Common Name (e.g. server FQDN or YOUR name)

commonName_max = 64

commonName_default = www.hello.com

[ req_ext ]

subjectAltName = @alt_names

[alt_names]

DNS.1 = www.hello.com
IP = 127.0.0.1
  • 生成祕鑰,得到server.key
openssl genrsa -out server.key 2048
  • 生成證照籤發請求,得到 server.csr (一直回車)
openssl req \
  -new \
  -sha256 \
  -out server.csr \
  -key server.key \
  -config server.conf
  • 用CA證照生成終端使用者證照,得到server.crt
    openssl x509 \
-req \
-days 3650 \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-in server.csr \
-out server.pem\
-extensions req_ext \
-extfile server.conf
  • client.go
const SERVER_COMMON_NAME = "www.hello.com"

creads, err := credentials.NewClientTLSFromFile("../keys/server.pem", SERVER_COMMON_NAME)

原文:[https://blog.csdn.net/weixin_40280629/article/details/113563351]

本作品採用《CC 協議》,轉載必須註明作者和本文連結

相關文章