grpc-java

History

ejona f96e7e8c6c Use real TLS security by default. The client now checks certificates and performs hostname verification. Tests check certificates, so the server uses a cert that the client trusts. Only the client portion of SslContextFactory was previously used. Applications that want to ignore certificates (i.e., for testing) can use io.netty.handler.ssl.util.InsecureTrustManagerFactory instead. The MOE configuration was already failing to work, and so required the simple mapping for examples in addition to what was needed for the new certs. ------------- Created by MOE: http://code.google.com/p/moe-java MOE_MIGRATED_REVID=80434148		2015-01-08 14:43:11 -08:00
..
README	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
badclient.key	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
badclient.pem	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
badserver.key	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
badserver.pem	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
ca-openssl.cnf	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
ca.key	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
ca.pem	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
client.key	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
client.pem	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
server0.key	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
server0.pem	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
server1-openssl.cnf	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
server1.key	Use real TLS security by default.	2015-01-08 14:43:11 -08:00
server1.pem	Use real TLS security by default.	2015-01-08 14:43:11 -08:00

README

The test credentials (CONFIRMEDTESTKEY) have been generated with the following
commands:

Bad credentials (badclient.* / badserver.*):
============================================

These are self-signed certificates:

$ openssl req -x509 -newkey rsa:1024 -keyout badserver.key -out badserver.pem \
  -days 3650 -nodes

When prompted for certificate information, everything is default except the
common name which is set to badserver.test.google.com.


Valid test credentials:
=======================

The ca is self-signed:
----------------------

$ openssl req -x509 -new -newkey rsa:1024 -nodes -out ca.pem -config ca-openssl.cnf -days 3650 -extensions v3_req
When prompted for certificate information, everything is default.

client is issued by CA:
-----------------------

$ openssl genrsa -out client.key.rsa 1024
$ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
$ rm client.key.rsa
$ openssl req -new -key client.key -out client.csr

When prompted for certificate information, everything is default except the
common name which is set to testclient.

$ openssl ca -in client.csr -out client.pem

server0 is issued by CA:
------------------------

$ openssl genrsa -out server0.key.rsa 1024
$ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt
$ rm server0.key.rsa
$ openssl req -new -key server0.key -out server0.csr

When prompted for certificate information, everything is default except the
common name which is set to *.test.google.com.au.

$ openssl ca -in server0.csr -out server0.pem

server1 is issued by CA with a special config for subject alternative names:
----------------------------------------------------------------------------

$ openssl genrsa -out server1.key.rsa 1024
$ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
$ rm server1.key.rsa
$ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf

When prompted for certificate information, everything is default except the
common name which is set to *.test.google.com.

$ openssl ca -in server1.csr -out server1.pem