weihong-ou / grpc-tls

Testing repo to validate all gRPC TLS options

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

gRPC TLS testing

Basic service to retrive user names based on their ID. This is just for TLS testing purposes.

Run

  • Server

    make run-server
  • Client

You need to provide an ID which is the id of the user we want to retrieve from the Server, for example export ID=1.

  1. Connect using the cert the Server provides during the TLS Handshake without verifying it.

    make run-client
  2. Connect using the cert the Server provides during the TLS Handshake and verify it.

    make run-client-noca
  3. Connect using the cert the Server provides during the TLS Handshake and verify it with a CA cert file provided.

    make run-client-ca
  4. Connect using a cert provided at runtime.

    make run-client-file
  • Help

    make

Generating TSL Certificates

You need these before running the examples. To create them run make cert. The certificates are valid for a year (-days 365). Below the step by step, for your reference.

  • CA Signed certificates
  1. Create Root signing Key

    openssl genrsa -out ca.key 4096
  2. Generate self-signed Root certificate

    openssl req -new -x509 -key ca.key -sha256 -subj "/C=US/ST=NJ/O=CA, Inc." -days 365 -out ca.cert
  3. Create a Key certificate for your service

    openssl genrsa -out service.key 4096
  4. Create signing CSR

    For local testing you can use '/CN=localhost'. For Online testing CN needs to be replaced with your gRPC Server, for example: '/CN=grpc.nleiva.com'. Include this in a config file (certificate.conf).

    openssl req -new -key service.key -out service.csr -config certificate.conf
  5. Generate a certificate for the service

    openssl x509 -req -in service.csr -CA ca.cert -CAkey ca.key -CAcreateserial -out service.pem -days 365 -sha256 -extfile certificate.conf -extensions req_ext
  6. Verify

    openssl x509 -in service.pem -text -noout

Vault and Certify

See vault-cert.md for setup details.

  • Server

    make run-server-vault
  • Client

    export CAFILE="ca-vault.cert"
    make run-client-ca

You need to provide an ID which is the id of the user we want to retrieve from the Server, for example export ID=1. Also, the name of the Vault's CA certificate file as CAFILE.

Running in Docker Containers

Build Docker images with make docker-build. You need to provide HOST and PORT as enviromental variables.

export HOST=grpc.nleiva.com
export PORT=443
  • Run the Docker Client image. Provide any ID.

    export ID=1
    make run-docker-client
  • Run the Docker Server image

    make run-docker-server

Compiling protocol buffers

Run make proto.

About

Testing repo to validate all gRPC TLS options

License:BSD 3-Clause "New" or "Revised" License


Languages

Language:Go 63.3%Language:Makefile 21.2%Language:Dockerfile 13.5%Language:HCL 2.1%