我正试图从客户端进行安全的grpc调用,但我似乎无法让我的代码工作;以下是我所采取的步骤和实现。
我的规格:我在mac m1 pro上运行visual studio,我正在使用Protobuf-net Grpc
步骤1 -安装OpenSSL
brew install openssl
步骤2—创建证书和密钥
openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes
this问了几个问题。然后创建了CRT和密钥文件。
我还通过运行以下命令确认了证书和密钥对是正确创建的。
openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
服务器:
Program.cs文件var builder = WebApplication.CreateBuilder(args);
X509Certificate2 cert = new X509Certificate2("/Users/asimgunduz/server.crt", "/Users/asimgunduz/server.key");
builder.WebHost.ConfigureKestrel(opt =>
{
opt.Listen(IPAddress.Any, 5010, listenOptions =>
{
listenOptions.Protocols = HttpProtocols.Http1;
listenOptions.UseHttps(cert);
});
});
客户端
public static void RegisterGrpcService<TService>(this IServiceCollection Services) where TService : class
{
X509Certificate2 certificate = new X509Certificate2("/Users/asimgunduz/server.crt", "/Users/asimgunduz/server.key");
var socketsHandler = new SocketsHttpHandler
{
AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate,
PooledConnectionIdleTimeout = Timeout.InfiniteTimeSpan,
KeepAlivePingDelay = TimeSpan.FromSeconds(60),
KeepAlivePingTimeout = TimeSpan.FromSeconds(30),
EnableMultipleHttp2Connections = true,
};
socketsHandler.SslOptions.RemoteCertificateValidationCallback = (message, cert, chain, errors) =>
{
// Perform custom validation here and return a boolean indicating whether the certificate is valid
return certificate.Equals(cert);
};
var hand = new GrpcWebHandler(GrpcWebMode.GrpcWeb, socketsHandler);
//hand.HttpVersion = HttpVersion.Version11;
Services.AddCodeFirstGrpcClient<TService>(x =>
{
x.ChannelOptionsActions.Add(x => new GrpcChannelOptions
{
HttpHandler = hand,
MaxReceiveMessageSize = null, //30000000
MaxSendMessageSize = null, //30000000
Credentials = ChannelCredentials.Insecure,
UnsafeUseInsecureChannelCallCredentials = true,
ServiceConfig = new ServiceConfig { LoadBalancingConfigs = { new RoundRobinConfig() } }
});
x.Address = new Uri("http://localhost:5010");
})
.ConfigurePrimaryHttpMessageHandler(x => hand);
}
public static void RegisterGrpcServiceWithSsl2<TService>(this IServiceCollection services, string address) where TService : class
{
X509Certificate2 certificate = new X509Certificate2("/Users/asimgunduz/server.crt", "/Users/asimgunduz/server.key");
var handler = new SocketsHttpHandler
{
SslOptions = new SslClientAuthenticationOptions
{
RemoteCertificateValidationCallback = (sender, cert, chain, errors) =>
{
X509Chain x509Chain = new X509Chain();
x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
bool isChainValid = x509Chain.Build(new X509Certificate2(cert));
return isChainValid;
},
ClientCertificates = new X509Certificate2Collection { certificate }
},
PooledConnectionIdleTimeout = Timeout.InfiniteTimeSpan,
KeepAlivePingDelay = TimeSpan.FromSeconds(60),
KeepAlivePingTimeout = TimeSpan.FromSeconds(30),
EnableMultipleHttp2Connections = true
};
var channel = GrpcChannel.ForAddress(address, new GrpcChannelOptions
{
HttpHandler = handler,
});
services.AddCodeFirstGrpcClient<TService>(x =>
{
x.Address = new Uri(address);
x.ChannelOptionsActions.Add(options =>
{
options.HttpHandler = handler;
});
});
}
当我运行Server时,它抛出以下异常
"服务器模式SSL必须使用带有关联私钥的证书。">
任何帮助都非常感谢。
经过一个小时的努力工作,我已经设法使我的代码工作:把它留在这里,以防将来我或别人需要它。
修改我的代码
(服务器)program.cs我已经更改了端口号从5010 =>7178
//Created certificate with the below method
var certificate =
X509Certificate2.CreateFromPemFile("/Users/asimgunduz/server.crt", Path.ChangeExtension("/Users/asimgunduz/server.crt", "key"));
//Verify is blueprints match
var verf = certificate.Verify();
//and finally add usehttps(with the created certificate)
builder.WebHost.ConfigureKestrel(opt =>
{
opt.ListenLocalhost(7178, o =>
{
o.Protocols = HttpProtocols.Http1;
o.UseHttps(certificate);
});
});
,这是我如何更新我的扩展方法在客户端
public static void RegisterGrpcServiceWithSsl2<TService>(this IServiceCollection services, string address) where TService : class
{
var certificate =
X509Certificate2.CreateFromPemFile("/Users/asimgunduz/server.crt", Path.ChangeExtension("/Users/asimgunduz/server.crt", "key"));
var socketsHandler = new SocketsHttpHandler
{
SslOptions = new SslClientAuthenticationOptions
{
RemoteCertificateValidationCallback = (sender, cert, chain, errors) =>
{
X509Chain x509Chain = new X509Chain();
x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
bool isChainValid = x509Chain.Build(new X509Certificate2(cert));
return isChainValid;
},
ClientCertificates = new X509Certificate2Collection { certificate }
},
PooledConnectionIdleTimeout = Timeout.InfiniteTimeSpan,
KeepAlivePingDelay = TimeSpan.FromSeconds(60),
KeepAlivePingTimeout = TimeSpan.FromSeconds(30),
EnableMultipleHttp2Connections = true
};
var hand = new GrpcWebHandler(GrpcWebMode.GrpcWeb, socketsHandler);
hand.HttpVersion = HttpVersion.Version11;
services.AddCodeFirstGrpcClient<TService>(x =>
{
x.ChannelOptionsActions.Add(x => new GrpcChannelOptions
{
HttpHandler = hand,
MaxReceiveMessageSize = null,
MaxSendMessageSize = null,
Credentials = ChannelCredentials.Insecure,
UnsafeUseInsecureChannelCallCredentials = true,
ServiceConfig = new ServiceConfig { LoadBalancingConfigs = { new RoundRobinConfig() } }
});
x.Address = new Uri(address);
})
.ConfigurePrimaryHttpMessageHandler(x => hand);
}