我用openssl为客户端和服务器生成了证书和私钥,它们的代码都在python中,并且它们有一个用于联合学习过程的通信gRPC。我试图让gRPC连接成为一个安全的连接,但我遇到了问题,gRPC安全连接是基于ssl安全的,因此我使用openssl为客户端和服务器生成了证书和私钥。检查证书(客户端和服务器相似(openssl给了我这个:
openssl x509 -in /home/torino/Desktop/certificate.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6f:12:4e:5c:8d:a4:d0:f3:ef:4e:14:73:bb:cc:b3:bf:0c:9b:e9:84
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IT, ST = Itali, O = Uni, CN = *
Validity
Not Before: Nov 8 16:01:13 2021 GMT
Not After : Nov 8 16:01:13 2022 GMT
Subject: C = IT, ST = Itali, O = Uni, CN = *
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:db:17:4a:18:29:cd:12:c8:77:89:4b:9e:21:f1:
d4:ca:0a:6d:7c:71:f9:a8:3c:31:11:d2:4b:48:5d:
ab:be:fa:9b:44:c0:e9:fb:26:c1:32:7f:a6:09:38:
73:e9:18:73:56:7a:5e:31:4c:74:2b:c6:66:fa:5f:
c2:ab:4a:84:72:86:16:fc:fd:a4:5e:1b:74:f5:b4:
57:33:d4:ae:0a:83:82:bb:66:29:ce:00:f8:5e:fc:
28:93:78:c2:f3:0c:3e:69:3f:4a:27:25:47:3a:6c:
01:63:07:58:a5:f4:8f:11:3e:29:cf:fc:19:ab:30:
9b:97:d7:d2:6f:a2:89:12:14:65:74:8b:bd:ef:dd:
c0:3b:30:6c:2d:be:48:1a:c0:46:41:ab:fa:a8:39:
b8:cb:bb:e0:63:89:e3:a6:4f:a3:4c:8e:52:5c:45:
ed:79:80:a7:8e:bd:cc:26:bb:cb:aa:3a:57:1f:8f:
e6:4b:09:3f:7a:9e:5e:47:ab:a0:2f:98:5a:b1:40:
8c:23:1c:5b:97:bc:43:eb:19:07:11:cf:a8:41:d2:
04:bc:11:e1:3b:44:58:1e:01:d1:ff:fe:4c:f8:69:
15:6b:ee:3a:21:47:a8:59:89:3b:e3:f4:61:5f:dd:
7f:1f:66:23:38:24:80:6f:4b:94:cf:c8:a7:a1:6f:
52:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
76:D6:DE:F8:A7:92:5E:1D:45:AE:AA:58:56:B3:36:72:44:E8:62:81
X509v3 Authority Key Identifier:
keyid:76:D6:DE:F8:A7:92:5E:1D:45:AE:AA:58:56:B3:36:72:44:E8:62:81
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
85:e2:7f:5d:ce:91:e7:68:60:28:96:5d:76:26:f7:2d:64:dd:
f7:6a:19:c9:b5:b8:4f:40:7a:c4:76:be:ef:cd:a0:66:03:69:
61:45:e2:40:ba:75:ca:ec:78:e9:bb:ca:1b:89:44:0c:43:f3:
15:a6:cc:9f:0d:d5:bf:f8:58:2b:18:94:7a:5b:7e:c2:24:01:
4d:d2:d5:f1:6f:08:a1:9e:60:4c:4a:18:9a:a1:93:75:60:84:
9d:af:54:6a:99:2c:94:e1:8f:58:5e:82:01:b8:c0:e7:2a:8e:
13:0f:a5:a6:58:72:a2:1b:fa:c5:3f:fe:db:85:bd:0b:78:9b:
60:f0:74:fc:ce:31:d0:08:cf:eb:0c:4b:14:ca:0d:96:26:15:
b5:d2:f7:9b:f7:c6:f9:d2:24:e3:ef:2c:dc:fb:b0:43:ac:b4:
70:2d:20:b5:22:6f:3e:ba:68:c2:f5:e3:bb:e2:75:59:0f:eb:
fa:76:39:a6:24:d0:4d:6c:27:c0:a0:db:26:94:ff:39:f8:a2:
fc:0e:5f:a8:d5:fe:da:15:5b:70:68:3c:e9:e6:0d:01:a7:bb:
36:cd:2f:ef:1a:a7:f6:13:2c:01:ae:0e:24:d4:a2:1c:d0:3d:
88:5b:6d:ec:77:99:aa:48:f7:26:8d:84:21:b6:74:26:89:a8:
eb:e5:d7:fa
检查私钥openssl给了我这个:
openssl rsa -in /home/torino/Desktop/privateKey.key -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA2xdKGCnNEsh3iUueIfHUygptfHH5qDwxEdJLSF2rvvqbRMDp
+ybBMn+mCThz6RhzVnpeMUx0K8Zm+l/Cq0qEcoYW/P2kXht09bRXM9SuCoOCu2Yp
zgD4Xvwok3jC8ww+aT9KJyVHOmwBYwdYpfSPET4pz/wZqzCbl9fSb6KJEhRldIu9
793AOzBsLb5IGsBGQav6qDm4y7vgY4njpk+jTI5SXEXteYCnjr3MJrvLqjpXH4/m
Swk/ep5eR6ugL5hasUCMIxxbl7xD6xkHEc+oQdIEvBHhO0RYHgHR//5M+GkVa+46
IUeoWYk74/RhX91/H2YjOCSAb0uUz8inoW9SfwIDAQABAoIBAQDTk20ZYpzJK9DM
RLskOr7skh9jU0nunpoghL3w14y49JinT8lloepm0wDL3LmK+/K+K5P09ckmUQY3
eeyrsF2xny5qCKQHwWo0sYCY7CVav9+rC6EJcMRqLgcdSzywrD1FNDpvDT/4+j5o
nLqOIVtcInUMhn9fY6SOgXyWFBdc3Y3KPcW1ht2Cjp1cWRsqNUGR1tlSKhtcwNZR
pQPD5gma6/ky0cKIMxcTfZUgsdpcD4S6D99A6v70WFwg6HzUcgxTlnBEln0QESlF
dveY6bZpJ8MpObsiqcJBpgdYwVjl2IHf+4qYZeWLTe540GUE1jLlpDNQAl2AYGyV
BpLg1GK5AoGBAPZm1ujKUwJHNcPx7sDT6FrpXliK8b0YZYtdCxFWnJYHSCufi6Ta
4KSxZF9AdxFssYn5agXTZ1k6aW0VOW74TSyfZ8/AA9SH2jiDjC8F0wSDr+CBAw64
f88tI/6Q1JlsbaowaaDcr54SnqxO0gZjhnuWkj+U6SqiDnMbkMl78XStAoGBAOOg
Gj1HPfcEbewI9sMh50M9s7oQfD3dN7tdRzXH3Peswuq6NTU3WvR1UagXi0E6dOjC
7mtiKCbBCGCPqL1BijzGR7J6FYxB7hnkE53vByWleYf2c8EQO1Gg9zleFRXxcpy2
VCJMazsGmY7QpuWC/77Q0a9V81VOI5u3uXz3GF1bAoGAWBkc7c6pLz9WseBmhPs/
MIIQAYhsNjfq1pFFy8Uz51BjNXWt8BtyBnCGeqgJ6mj6cWKDzeFwKi8AUsgr6MlO
jo3QCC+XLv4DwAEItidW815CG/sEpNbCm8h//hy6ZsCl1RvKKIG/KL1vjhwAa9hZ
1QZY8/LCC0Q19mH8uo1eH2ECgYA4HDA7qMMakAn0pCUH5uSWC7CxDf1CVrS1SAIU
vMa4euq1Z99T1ehi2ESfteYK1zkYY2zYJaMWIoFJJECJHo3P+2STF0sWfu4Njc5U
ISbW3dp+bH8OOU0WCyLGDm4OMa15+ev1ZHcOXssdjEuHyen3BIybtwk7nv5iFUDx
EAv+fwKBgFFsB9YR+pn7w53ndam06V8kGe5iFLvuz4DVaCmKtjbCEXu0JEGmUzKD
AKB1QXIvAZZSM8QVZFd//OI5BAO97IPxNtE6PuQayaNN7Dq2tiO5L9LOCuXqxXBb
4JDlQJG8yfcMAiMBCFFKZqjWo6sRclieVkeOi87v06Wx926tTfkR
-----END RSA PRIVATE KEY-----
这意味着证书和私钥是正确的。但当我尝试使用gRPRC安全连接时,我在客户端上出现了以下错误:
E1108 18:12:33.539123908 3109 ssl_transport_security.cc:1469] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
服务器给了我这个错误:
E1108 18:12:33.540418211 1963 ssl_transport_security.cc:1839] No match found for server name: 192.168.37.137.
如果你仍然有问题或其他人发现这篇文章,请回复。我看到过一个类似的错误,它是由服务器上使用的证书中缺少SAN引起的。我认为您可能需要在证书中添加一个值为IP:192.168.37.137的SAN,使其按预期工作。
1. openssl req -nodes -new -x509 -keyout server.key
2. vi san.conf # add lines shown below
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation,
keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName = IP:192.168.37.137
issuerAltName = issuer:copy
3. openssl req -new -key server.key -out server.csr
4. openssl x509 -req -in server.csr -signkey server.key -out server.cert -days 3650 -sha256 -extfile san.conf
5. openssl x509 -in server.cert -text