examples: make tls example easier to run#5715
Conversation
* Make the ca cert able to be verified by the server cert in openssl * Make the port number consistent in each example (easy to copy paste wrong one) * use correct netty-tcnative
examples/example-tls/README.md
Outdated
| @@ -43,14 +43,15 @@ You can use the following script to generate self-signed certificates for grpc-j | |||
| mkdir -p /tmp/sslcert | |||
| pushd /tmp/sslcert | |||
| # Changes these CN's to match your hosts in your environment if needed. | |||
examples/example-tls/README.md
Outdated
| mkdir -p /tmp/sslcert | ||
| pushd /tmp/sslcert | ||
| # Changes these CN's to match your hosts in your environment if needed. | ||
| SERVER_CA_CN=localhost-ca # must be different than SERVER_CN |
There was a problem hiding this comment.
Do we need the comment "# must be different than SERVER_CN" ?
The comment is the justification for this change but why leave it in the README file?
There was a problem hiding this comment.
I suppose not.
| openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/CN=${SERVER_CA_CN}" | ||
| echo Generate server key: | ||
| openssl genrsa -passout pass:1111 -des3 -out server.key 4096 | ||
| echo Generate server signing request: |
There was a problem hiding this comment.
Lines 59 and 68 say "Self-signed..." which is incorrect, so we can fix that?
There was a problem hiding this comment.
what would you prefer? I think self-signed is pretty clear, it means someone didnt give it to us.
There was a problem hiding this comment.
See https://en.wikipedia.org/wiki/Self-signed_certificate
In technical terms a self-signed certificate is one signed with its own private key.
Here server and client certs are signed by the ca cert's private key.
Shouldn't this be "Make the server cert able to be verified by the ca cert in openssl" ? Also this change is not making any material difference to the code, right? Because each cert is in its own file (server.crt vs ca.crt) and we are separately passing ca.crt as the trust-store it doesn't really matter that we used the same name "localhost" as the CN for both certs. In any case the example wouldn't have worked if that was the problem. I am okay with this change, but just trying to clarify. |
done.
In java it worked. The origin of this PR is @jtattermusch trying out our example and finding it confusing and not working out of the box. The certs could not be used by the C version of gRPC. |
sanjaypujare
left a comment
There was a problem hiding this comment.
Couple of suggestions but LGTM
* examples: make tls example easier to run * Make the ca cert able to be verified by the server cert in openssl * Make the port number consistent in each example (easy to copy paste wrong one) * use correct netty-tcnative * address comments
* examples: make tls example easier to run * Make the ca cert able to be verified by the server cert in openssl * Make the port number consistent in each example (easy to copy paste wrong one) * use correct netty-tcnative * address comments
cc: @jtattermusch