Skip to content

nleiva/grpc-tls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits

client

client

 
 

proto

proto

 
 

server

server

 
 

vault

vault

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

certificate.conf

certificate.conf

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

vault-cert.md

vault-cert.md

 
 

Repository files navigation

gRPC TLS testing

Basic service to retrive user names based on their ID. This is just for TLS testing purposes.

Run

  • Server

    make run-server

  • Client

You need to provide an ID which is the id of the user we want to retrieve from the Server, for example export ID=1.

  1. Connect using the cert the Server provides during the TLS Handshake without verifying it.

    make run-client

  2. Connect using the cert the Server provides during the TLS Handshake and verify it.

    make run-client-noca

  3. Connect using the cert the Server provides during the TLS Handshake and verify it with a CA cert file provided.

    make run-client-ca

  4. Connect using a cert provided at runtime.

    make run-client-file

  • Help

    make

Generating TSL Certificates

You need these before running the examples. To create them run make cert. The certificates are valid for a year (-days 365). Below the step by step, for your reference.

  • CA Signed certificates

  1. Create Root signing Key

    openssl genrsa -out ca.key 4096

  2. Generate self-signed Root certificate

    openssl req -new -x509 -key ca.key -sha256 -subj "/C=US/ST=NJ/O=CA, Inc." -days 365 -out ca.cert

  3. Create a Key certificate for your service

    openssl genrsa -out service.key 4096

  4. Create signing CSR

    For local testing you can use '/CN=localhost'. For Online testing CN needs to be replaced with your gRPC Server, for example: '/CN=grpc.nleiva.com'. Include this in a config file (certificate.conf).

    openssl req -new -key service.key -out service.csr -config certificate.conf

  5. Generate a certificate for the service

    openssl x509 -req -in service.csr -CA ca.cert -CAkey ca.key -CAcreateserial -out service.pem -days 365 -sha256 -extfile certificate.conf -extensions req_ext

  6. Verify

    openssl x509 -in service.pem -text -noout

Vault and Certify

See vault-cert.md for setup details.

  • Server

    make run-server-vault

  • Client

    export CAFILE="ca-vault.cert"
make run-client-ca

You need to provide an ID which is the id of the user we want to retrieve from the Server, for example export ID=1. Also, the name of the Vault's CA certificate file as CAFILE.

Running in Docker Containers

Build Docker images with make docker-build. You need to provide HOST and PORT as enviromental variables.

export HOST=grpc.nleiva.com
export PORT=443

  • Run the Docker Client image. Provide any ID.

    export ID=1
make run-docker-client

  • Run the Docker Server image

    make run-docker-server

Compiling protocol buffers

Run make proto.

About

Testing repo to validate all gRPC TLS options

Topics

tls grpc

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

55 stars

Watchers

3 watching

Forks

16 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages