Cannot connect to SSL server using IP address

[dreveny]

Using the C++ interface, if I setup a server using SslServerCredentials and give it a certificate having a CN or subjectAltName that is an IP address (such as 127.0.0.1 or IP:127.0.0.1), the client (on the same machine in this case) cannot connect and gives the error:

"Peer name 127.0.0.1 is not in peer certificate"

However when I dump the certificate, I do indeed see that address. I've tried different formats as well but I think I found where all IP addresses are blocked:

https://github.com/grpc/grpc/blob/master/src/core/tsi/ssl_transport_security.c#L1402

Is there a way I can do this? Or is there a plan to support this in the future?

[yang-g]

@jboeuf Could you take a look?

[jboeuf]

Sorry, this slipped through the cracks...
Right now, we don't have plans to support IPs in certs. If there is a
popular demand for it, we may add it though.

On Thu, Nov 5, 2015 at 2:22 PM, David G. Quintas notifications@github.com
wrote:

Assigned #2691 #2691 to @jboeuf
https://github.com/jboeuf.

—
Reply to this email directly or view it on GitHub
#2691 (comment).

[dreveny]

No problem. We changed our design a bit to use hostnames instead. I think that's better in the long run anyway. So we don't need this feature anymore.

[jboeuf]

Thanks much for letting me know.

On Sun, Nov 8, 2015 at 9:11 AM, dreveny notifications@github.com wrote:

No problem. We changed our design a bit to use hostnames instead. I think
that's better in the long run anyway. So we don't need this feature anymore.

—
Reply to this email directly or view it on GitHub
#2691 (comment).

[jboeuf]

Closing for now. Please re-open if someone wants this feature.

[parmeshthee]

Facing the same issue with C# while implementing SSL/TLS in grpc. I generated a certificate with CN = 192.168.1.6 and used it to create objects of SslServerCredentials and SslCredentials. But when client connects to server it throws errors. It works fine with certificate CN=localhost or system names. Is there any workaround on this?
Client side:
E0917 11:05:13.783695 0 c:\jenkins\workspace\gRPC_build_artifacts\architecture\x86\language\csharp\platform\windows\vsprojects..\src\core\lib\security\transport\security_connector.c:532: Peer name 192.168.1.6 is not in peer certificate
E0917 11:05:13.784195 0 c:\jenkins\workspace\gRPC_build_artifacts\architecture\x86\language\csharp\platform\windows\vsprojects..\src\core\lib\security\transport\handshake.c:128: Security handshake failed: {"created":"@1505626513.784000000","description":"Error checking peer.","file":"c:\jenkins\workspace\gRPC_build_artifacts\architecture\x86\language\csharp\platform\windows\vsprojects..\src\core\lib\security\transport\handshake.c","file_line":152,"security_status":1}

Server side:
E0917 11:05:13.747679 0 c:\jenkins\workspace\gRPC_build_artifacts\architecture\x86\language\csharp\platform\windows\vsprojects..\src\core\lib\tsi\ssl_transport_security.c:1288: No match found for server name: 192.168.1.6.

[mwisniewski0]

@parmeshthee Try using the subjectAltName instead of CN - it worked for me with an IP address (in Python, but the code that verifies the domain is in the C++ core regardless).

For reference, see https://github.com/grpc/grpc/blob/master/src/core/tsi/ssl_transport_security.cc, function tsi_ssl_peer_matches_name(). It explains step by step how the domain name is verified.