Node.JS @grpc/grpc-js issue with disabling the verification of the server's TLS certificate

[vinothsa4891]

Problem description

We have a use case to access the gRPC service via Tunneling through a reverse proxy. The Proxy has a self-signed TLS certificate.

I see an option to disable the verification of the server's TLS certificate in client credentials. Check ServerIdentity: ()=> undefined. This is not working as I'm getting an error "Error: 14 UNAVAILABLE: No connection established. Last error: self-signed certificate in certificate chain"

const verifyOptionsFalse = {
checkServerIdentity: () => undefined,
};

const sslCreds = grpc.credentials.createSsl(
  null,
  null,
  null,
  verifyOptionsFalse 
);

this._grpcObj.<< serviceName >>(
"<< proxy_dns >>:8081",
sslCreds,
)

This is working only if I pass the server ssl_certificate ( ex : servercert.crt ) or set up process.env.NODE_TLS_REJECT_UNAUTHORIZED='0'.

Also in Golang its working by just setting "InsecureSkipVerify:false" -
creds := credentials.NewTLS(&tls.Config{
InsecureSkipVerify: true,
})

Environment
OS name, version and architecture: Linux Debian
Node version 18.19.0
Package name and version gRPC@1.11.1

@murgatroid99

[vinothsa4891]

PR Created - #2812

Adding a fix to ignore self-signed certificates verification

File : grpc-node/packages/grpc-js/src/transport.ts.

connectionOptions = {
...connectionOptions,
...address,
enableTrace: options['grpc-node.tls_enable_trace'] === 1,
rejectUnauthorized: options['grpc-node.tls_reject_unauthorized'] ?? true,
};

[murgatroid99]

We already have an established way to make a client accept self-signed certificates: create a CA certificate file with the signing certificate information, and pass the contents of that file in the first argument of credentials.createSsl.

[vinothsa4891]

@murgatroid99 Yes that works , But In our case, it is acceptable to disregard the certificate verification and the http2.connect works only with rejectUnauthorized as false for self signed certificates.

[vinothsa4891]

@murgatroid99 I tried with verifyOptions checkServerIdentity: () => null, but with this, I was able to disable only the hostname/CN name verification. I'm still getting error for self signed certificate. I see only rejectUnauthorized: false to bypass the verification of self-signed certificates and allows the client to make SSL requests without validating the server’s SSL certificate

[darnley]

Hello, @murgatroid99, is there an estimate of when this fix will be released?

[murgatroid99]

This is a new feature, so it will be out in the next minor release. I don't have a specific estimate for the release but it will likely be soon.

[murgatroid99]

This has been released in version 1.12.x.