gRPC sslcontext配置 [英] gRPC sslcontext config

问题描述

   SslContext sslcontext = GrpcSslContexts.forClient()
        .trustManager(caFile)
        .keyManager(certFile, keyFile) 
        .build();

推荐答案

trustManager和keyManager在客户端/服务器之间是互惠的；客户端的信任管理器需要信任服务器的密钥管理器，而服务器的信任管理器需要信任客户端的密钥管理器(如果使用客户端证书).客户端和服务器之间的唯一区别是服务器必须具有密钥管理器，而客户端必须具有信任管理器.如果您没有为客户端指定信任管理器，则将使用默认值.

trustManager and keyManager are reciprocal across client/server; the client's trust manager needs to trust the server's key manager and the server's trust manager needs to trust the client's key manager (if using client certs). The only difference between client and server is the server must have a key manager and the client must have a trust manager. If you don't specify a trust manager for the client, a default will be used.

基本上，信任管理器是受信任的证书颁发机构(独立于客户端或服务器).密钥管理器包含身份证书和证明该身份的私钥.

The trust manager is basically the Certificate Authorities that are trusted (independent of client or server). Key managers contain the identity certificate and the private key to prove that identity.

因此，客户端上的keyManager用于客户端证书.您可能需要在服务器端配置trustManager以信任该证书:包括证书本身，或者更好的是，签署客户端证书的证书颁发机构.通常，您可以将客户的信任管理器保留为默认设置.

So keyManager on client-side is for a client certificate. You would need to configure the trustManager on server-side to trust that certificate: either include the certificate itself or, better, the Certificate Authority that signed the client's certificate. You can generally leave the client's trust manager as the default.

请注意，客户端仅在服务器请求时才发送其证书.因此，您需要将服务器配置为OPTIONAL ly或REQUIRE客户端证书:

Note that the client will only send its certificate if the server requests it. So you need to configure the server to OPTIONALly or REQUIRE the client certificate:

sslContextBuilder.clientAuth(ClientAuth.REQUIRE);

这篇关于gRPC sslcontext配置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！