previously I've used grpc C-core for .net 2.x and it was working fine, with groc running on .net core 2.2 on server side and C#, Java grpc clients, using pem files for TLS.
Now I've noticed that the new grpc-dptnet no longer supports pem files. Does that mean everything breaks? no more backwards compatibility? I was looking forward to use the new worker service in .net core 3 to rewrite my grpc windows service, without the front end knowing it, so front end continues to use pem files for TLS. But it seems to be impossible now.
So can someone please advice me..
How many types of pfx files are there? client pfx, server pfx? or just one client pfx?
How does Java grpc client make use of the pfx file to connect to grpc server, esp when server is done in grpc-dotnet and not the C core grpc.
is there a difference between the pfx cert used by IIS and the one used by grpc server? will it cause a conflict if client side pfx is used on IIS with developer SSL cert.. for the case when asp.net web appp is also running grpc service.. esp when on the same port.. then what would happen?
How do I detect disconnect for grpc? previously with grpc-C-core, I would call Connect first, then wait for connection change status.. now with httpClient, I don't think this is possible.. or am I wrong?
I'm finding the new grpc-dotnet far more confusing and difficult to understand than the original grpc C core for .net. At least that was clear how to config ports, certs (generating pem files using openssl was very easy and all that matters was the CN field). Now with the pfx file format, I'm really confused.. so please bear with me if I sound stupid..
Related
So i have my site on hosting company, and this company support let encrypt certificate, so i generated it and now the site is running with https protocol.My server side(spring boot application web service oriented started on VPS) for this site is on another company. My questions are:
How can i use this generated certificate on my server side part,
is it possible, what should i do?
What i need to provide to the server, and all things that are needed the server to work?
When i was without the certificate everything worked perfect, but right now on the server side i get
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
and in the browser i get
net::ERR_SSL_PROTOCOL_ERROR,
when I`m trying the get resources from server.
From the hosting company i can get everything connected to the certificate
It seems that you are passing HTTPs traffic to web server which "talks" in plain HTTP.
Normally SSL termination is done on software like Apache HTTPD or Nginx.
Then you configure it to act as reverse proxy to your actual Spring boot application running in JVM.
You can also configure your JVM webserver (Jetty,Tomcat .. whatever you have) to use your Let's encrypt certificate, but I have doubt that certbot will be able to easily renew them.
I am trying to setup a two way SSL connection in between thrift C++ client and thrift Java server. Since I am new to thrift and client server connections, can someone help me with it?
Currently the part I am stuck at is that I am generating the .pem files for the key and certificate. I can use them directly for the thrift C++ client but how can I use it for in thrift Java server? As far as I know the thrift Java server supports the .jks format keystore and trust stores along with the password/key.
It will be great if someone who already have done something like that can provide me a sample working implementation for thrift C++ client two way SSL connection with the thrift Java server.
Another legacy support problem here!
We have a server multiple clients network where each component has a self signed certificate and is added to the server/client's trust store. We are not using a Certificate Authority here.
Now our problem is that we need to upgrade all the certificates for better security. The new clients will come with newer certificates and even the server will have new certificates.
Our problem is how to handle the old clients. Upgrading keystores of our old clients is the last resort.
Things that won't work:
Adding both the new and old certificates in server truststore: Even the clients are authenticating the servers and the server certificate will not be present in the client truststore.
Using new port for the new clients: We considered using new ports for new clients and continuing the old ports for old clients but the problem is that there are multiple applications which are facing this problem so we will have to search for multiple new ports which are not being used by other products.
FWIW: The servers are in Java and the clients are in C++
EDIT after EJP's answer
I am probably asking a very dumb question here but just wanted to be sure. There is absolutely no way to edit the SSL Context of a socket once it is bound. Correct?
Also, can we choose the server certificate to be used during the handshake? I know of chooseClientAlias() and chooseServerAlias() methods but here we don't know which certificate to use till the client Hello message is sent.
Leaving aside using different ports:
(1) will work as far as the server is concerned with the client certificates.
Nothing will work in terms of getting old clients to recognize the new server certificate, other than upgrading the client truststores.
This is why you should have used a CA, even an internal one, and why you should absolutely not make the same mistake again. If the clients had trusted the CA instead of a self-signed server certificate directly, you would not now have this problem, and you won't have it in future, however many times you upgrade the certificates, until the CA certificate expires, which should take 20 years.
And while you're at it, make sure you build in a way to update client truststores.
There is absolutely no way to edit the SSL Context of a socket once it is bound. Correct?
There is no way to edit the SSLContext once it is initialized, which precedes creation of sockets, let alone binding them. Hmm, maybe you could reload the KeyManager and TrustManager and just not tell the SSLContext, but I'm not saying it would (or wouldn't) work.
Also, can we choose the server certificate to be used during the handshake?
Yes, that's what the KeyManager interface is for, specifically chooseServerAlias().
I know of chooseClientAlias() and chooseServerAlias() methods but here we don't know which certificate to use till the client Hello message is sent.
chooseServerAlias isn't called until the ClientHello has been received.
I have a multi-player game that uses Java sockets, the server is a standard Java application and the client is a Java applet that runs in the web-browser.
Now since last Java's update (Java 7 update 51) all applets require code signing, so I would like to move way from the applet and rewrite the client in HTML5.
I've been looking into the socket.io and it seems quite easy, but I can't find any information on how to implement it into my server.
I would like to keep the server in Java, because it will be a lot of work to port it, so is there any libs that I could use on my server to make the communication possible between a java sockets server and a socket.io client, or what is the best approach? do I really need to port the entirely server?
Thanks.
The html5 WebSocket on which socket.io works is not equal to a "normal" C or Java socket. It implements its own protocol over TCP which includes handshakes and other stuff. To port your server you have to use a library maybe this helps you.
For more information on the WebSocket protocol see here.
We have a multiclient system where the client is written in Flash and the server is written in Java. Currently, communication is done in Flash by usage of flash.net.Socket and the protocol is written in JSON. The server uses a custom port to receive connections and then proceed to talk with each client. As expected, data is sent and received on both fronts as raw bytes, which are then decoded as needed.
We would like to encrypt the communication between clients and server. I have some basic understanding about public/private key encryption, but I do not know what is the best way to exchange keys or what libraries are available (on both languages) to do this.
What would be the best strategy to attack this problem and where should I start looking for libraries/methods to implement this encryption?
No need to reinvent the wheel. Use ssl/tls. There's an as3 ssl implementation that we've used in several commercial projects. Make sure you create a root cert store for the as3 component and populate it with at least the root ca for your server cert. On the server, use java's built in ssl server socket.
Alternatively, you could do away with the custom server, if this is at all possible, and use https, kind of like you would with Ajax in HTML/JavaScript.