From ca9f8c78e168ede117a545f49cc5fd31fa309c41 Mon Sep 17 00:00:00 2001 From: Vinoth Date: Sun, 25 Aug 2024 16:50:45 +0530 Subject: [PATCH 1/3] Adding fix to ignore self-signed certificates verification --- packages/grpc-js/src/transport.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/grpc-js/src/transport.ts b/packages/grpc-js/src/transport.ts index 1acbab40e..703547f61 100644 --- a/packages/grpc-js/src/transport.ts +++ b/packages/grpc-js/src/transport.ts @@ -743,6 +743,7 @@ export class Http2SubchannelConnector implements SubchannelConnector { ...connectionOptions, ...address, enableTrace: options['grpc-node.tls_enable_trace'] === 1, + rejectUnauthorized: options['grpc-node.tls_reject_unauthorized'] ?? true, }; /* http2.connect uses the options here: @@ -837,6 +838,9 @@ export class Http2SubchannelConnector implements SubchannelConnector { if (options['grpc-node.tls_enable_trace']) { connectionOptions.enableTrace = true; } + if (options['grpc-node.tls_reject_unauthorized']) { + connectionOptions.rejectUnauthorized = options['grpc-node.tls_reject_unauthorized']; + } } return getProxiedConnection(address, options, connectionOptions).then( From 9e6887368c1ff163dc68bb04ff70c7c64bb9f81c Mon Sep 17 00:00:00 2001 From: Vinoth Sermakani Alagendran Date: Thu, 19 Sep 2024 11:55:31 +0530 Subject: [PATCH 2/3] Moved rejectUnauthorized from channel option to connectionOptions --- packages/grpc-js/src/channel-credentials.ts | 6 ++++++ packages/grpc-js/src/transport.ts | 4 ---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/packages/grpc-js/src/channel-credentials.ts b/packages/grpc-js/src/channel-credentials.ts index 2ed18507f..73672a295 100644 --- a/packages/grpc-js/src/channel-credentials.ts +++ b/packages/grpc-js/src/channel-credentials.ts @@ -53,6 +53,7 @@ export interface VerifyOptions { * has been performed on the peer certificate. */ checkServerIdentity?: CheckServerIdentityCallback; + rejectUnauthorized?: boolean; } /** @@ -198,6 +199,11 @@ class SecureChannelCredentialsImpl extends ChannelCredentials { this.connectionOptions.checkServerIdentity = verifyOptions.checkServerIdentity; } + + if (verifyOptions?.rejectUnauthorized) { + this.connectionOptions.rejectUnauthorized = + verifyOptions.rejectUnauthorized; + } } compose(callCredentials: CallCredentials): ChannelCredentials { diff --git a/packages/grpc-js/src/transport.ts b/packages/grpc-js/src/transport.ts index 703547f61..1acbab40e 100644 --- a/packages/grpc-js/src/transport.ts +++ b/packages/grpc-js/src/transport.ts @@ -743,7 +743,6 @@ export class Http2SubchannelConnector implements SubchannelConnector { ...connectionOptions, ...address, enableTrace: options['grpc-node.tls_enable_trace'] === 1, - rejectUnauthorized: options['grpc-node.tls_reject_unauthorized'] ?? true, }; /* http2.connect uses the options here: @@ -838,9 +837,6 @@ export class Http2SubchannelConnector implements SubchannelConnector { if (options['grpc-node.tls_enable_trace']) { connectionOptions.enableTrace = true; } - if (options['grpc-node.tls_reject_unauthorized']) { - connectionOptions.rejectUnauthorized = options['grpc-node.tls_reject_unauthorized']; - } } return getProxiedConnection(address, options, connectionOptions).then( From 7121f27bb0d8db8807f59c63e96db1a4757c9a39 Mon Sep 17 00:00:00 2001 From: Vinoth Sermakani Alagendran Date: Thu, 19 Sep 2024 12:22:35 +0530 Subject: [PATCH 3/3] Changed condition --- packages/grpc-js/src/channel-credentials.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/grpc-js/src/channel-credentials.ts b/packages/grpc-js/src/channel-credentials.ts index 73672a295..46b715f1a 100644 --- a/packages/grpc-js/src/channel-credentials.ts +++ b/packages/grpc-js/src/channel-credentials.ts @@ -200,7 +200,7 @@ class SecureChannelCredentialsImpl extends ChannelCredentials { verifyOptions.checkServerIdentity; } - if (verifyOptions?.rejectUnauthorized) { + if (verifyOptions?.rejectUnauthorized !== undefined) { this.connectionOptions.rejectUnauthorized = verifyOptions.rejectUnauthorized; }