Golang TLS握手错误 – “第一个记录不像是TLS握手”?

huangapple go评论201阅读模式
英文:

Golang TLS handshake error - "first record does not look like a TLS handshake"?

问题

客户端代码

tlsconf := &tls.Config{InsecureSkipVerify: true}
creds := credentials.NewTLS(tlsconf)
opts = append(opts, grpc.WithTransportCredentials(creds))
conn, err := grpc.Dial(endpoint, opts...)
// 处理错误和其他情况

服务器正确注册服务的代码如下:

if err := s.registerServices(); err != nil {
	err = errors.Wrap(err, "无法注册服务")
	return err
}

这里的s是我的s *Server(指向我的struct的指针)。

type Server struct {
	s        *grpc.Server
	conf     *config
	listener net.Listener
}

但是当我尝试使用s.Serve()来处理请求时,它给出了以下tls握手错误:

transport: authentication handshake failed: tls: first record does not look like a TLS handshake
英文:

Client-side code

tlsconf := &tls.Config{InsecureSkipVerify: true}
creds := credentials.NewTLS(tlsconf)
opts = append(opts, grpc.WithTransportCredentials(creds))
conn, err := grpc.Dial(endpoint, opts...)
// handle error and other cases

The server registers the service properly. The code for that is given below.

if err := s.registerServices(); err != nil {
		err = errors.Wrap(err, "unable to register services")
		return err
	}

Here s is my s *Server (a pointer to my struct).

type Server struct {
	s        *grpc.Server
	conf     *config
	listener net.Listener
}

But when I try to serve the request using s.Serve(), it gives me this tls handshake error:

transport: authentication handshake failed: tls: first record does not look like a TLS handshake

答案1

得分: 1

你的凭据似乎有些奇怪。当我尝试在不安全的连接上发送安全数据时,我看到了这个错误。

根据文档,你误用了配置:

    // InsecureSkipVerify 控制客户端是否验证服务器的证书链和主机名。
    // 如果 InsecureSkipVerify 为 true,crypto/tls 将接受服务器呈现的任何证书和该证书中的任何主机名。
    // 在此模式下,TLS 容易受到中间人攻击,除非使用自定义验证。
    // 这仅应用于测试或与 VerifyConnection 或 VerifyPeerCertificate 结合使用。

尝试使用以下 DialOption:

grpc.WithInsecure()

因此,准确来说:

address := ...
conn, err := grpc.Dial(address, grpc.WithInsecure())
英文:

Your creds seems weird. I saw this error when I tried sending secured data on an unsecured connection.

Looking at the documentation - you're misusing the config:

    // InsecureSkipVerify controls whether a client verifies the server's
	// certificate chain and host name. If InsecureSkipVerify is true, crypto/tls
	// accepts any certificate presented by the server and any host name in that
	// certificate. In this mode, TLS is susceptible to machine-in-the-middle
	// attacks unless custom verification is used. This should be used only for
	// testing or in combination with VerifyConnection or VerifyPeerCertificate.

Try using instead this DialOption:

grpc.WithInsecure()

So to be precise:

address := ...
conn, err := grpc.Dial(address, grpc.WithInsecure())

huangapple
  • 本文由 发表于 2022年4月23日 12:05:01
  • 转载请务必保留本文链接:https://go.coder-hub.com/71976729.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定