TLS with a gRPC C++ server
325 views
Skip to first unread message
Todd Defilippi
Apr 22, 2018, 11:43:48 AM4/22/18
to grpc.io
I am trying to get TLS authentication working for a C++ server implementation I am working on.
The relevant code is:
grpc::SslServerCredentialsOptions::PemKeyCertPair keyCert
= { tlsKeyContents_, tlsCertContents_ };
grpc::SslServerCredentialsOptions sslOps;
sslOps.pem_root_certs = "";
sslOps.pem_key_cert_pairs.push_back(keyCert);
builder_->AddListeningPort(addr, grpc::SslServerCredentials(sslOps));
where tlsKeyContents_ and tlsCertContents_ are the server key and certifiticate, respectively.
I seem to be unable to get the TLS handshake to work. When I enable gRPC logging, I see:
D0421 17:22:09.629340909 24866 tcp_posix.c:531] write: {"created":"@1524356529.629325854","description":"OS Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken pipe","syscall":"sendmsg"}
D0421 17:22:09.629435059 24866 security_handshaker.c:126] Security handshake failed: {"created":"@1524356529.629415453","description":"Handshake write failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken pipe","syscall":"sendmsg"}]}
D0421 17:22:09.629455934 24866 lockfree_event.c:167] lfev_set_shutdown: 0x7fa0911b1648 curr=(nil) err={"created":"@1524356529.629415453","description":"Handshake write failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken pipe","syscall":"sendmsg"}]}
D0421 17:22:09.629474573 24866 lockfree_event.c:167] lfev_set_shutdown: 0x7fa0911b1650 curr=0x2 err={"created":"@1524356529.629415453","description":"Handshake write failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken pipe","syscall":"sendmsg"}]}
D0421 17:22:09.629490837 24866 combiner.c:218] C:0x7fa09105ec60 grpc_combiner_execute c=0x7fa091231c90 cov=0 last=1
D0421 17:22:09.629500108 24866 timer_generic.c:322] TIMER 0x7fa091054980: CANCEL pending=true
D0421 17:22:09.629506399 24866 chttp2_server.c:83] Handshaking failed: {"created":"@1524356529.629415453","description":"Handshake write failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken pipe","syscall":"sendmsg"}]}
Is there something I am missing? (Please let me know if any other relevant logging/output I should include.)
Thanks,
Todd
The relevant code is:
grpc::SslServerCredentialsOptions::PemKeyCertPair keyCert
= { tlsKeyContents_, tlsCertContents_ };
grpc::SslServerCredentialsOptions sslOps;
sslOps.pem_root_certs = "";
sslOps.pem_key_cert_pairs.push_back(keyCert);
builder_->AddListeningPort(addr, grpc::SslServerCredentials(sslOps));
where tlsKeyContents_ and tlsCertContents_ are the server key and certifiticate, respectively.
I seem to be unable to get the TLS handshake to work. When I enable gRPC logging, I see:
D0421 17:22:09.629340909 24866 tcp_posix.c:531] write: {"created":"@1524356529.629325854","description":"OS Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken pipe","syscall":"sendmsg"}
D0421 17:22:09.629435059 24866 security_handshaker.c:126] Security handshake failed: {"created":"@1524356529.629415453","description":"Handshake write failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken pipe","syscall":"sendmsg"}]}
D0421 17:22:09.629455934 24866 lockfree_event.c:167] lfev_set_shutdown: 0x7fa0911b1648 curr=(nil) err={"created":"@1524356529.629415453","description":"Handshake write failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken pipe","syscall":"sendmsg"}]}
D0421 17:22:09.629474573 24866 lockfree_event.c:167] lfev_set_shutdown: 0x7fa0911b1650 curr=0x2 err={"created":"@1524356529.629415453","description":"Handshake write failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken pipe","syscall":"sendmsg"}]}
D0421 17:22:09.629490837 24866 combiner.c:218] C:0x7fa09105ec60 grpc_combiner_execute c=0x7fa091231c90 cov=0 last=1
D0421 17:22:09.629500108 24866 timer_generic.c:322] TIMER 0x7fa091054980: CANCEL pending=true
D0421 17:22:09.629506399 24866 chttp2_server.c:83] Handshaking failed: {"created":"@1524356529.629415453","description":"Handshake write failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken pipe","syscall":"sendmsg"}]}
Is there something I am missing? (Please let me know if any other relevant logging/output I should include.)
Thanks,
Todd
Arpit Baldeva
Apr 24, 2018, 3:29:10 PM4/24/18
to grpc.io
The code you have on server side looks correct to me(I have pretty much the same code).
Have you loaded the root cert for the server on the client (the CA that issued the cert to the server)? On client side, code could look like:
std::string rootCerts;
readSSLFile("cacert.pem", rootCerts);
grpc::SslCredentialsOptions sslOps;
sslOps.pem_root_certs = rootCerts;
GrpcClient grpceClient(grpc::CreateChannel(ENDPOINT_1_EXTERNAL_SECURE, grpc::SslCredentials(sslOps)));
There are some details at https://github.com/grpc/grpc/issues/9593
HTH.
Todd Defilippi
Apr 25, 2018, 5:22:40 PM4/25/18
to grpc.io
The client is a Cisco device, so unfortunately I don't know exactly what it does. But I did have to copy my root cert over to the client device, so I'm assuming it does largely what your example does.
Should I have anything set for sslOps.pem_root_certs? Some of the examples appear to have something, but then others don't. Or is that field only used when I am setting the SSL options for a client?
Thanks,
Todd
Should I have anything set for sslOps.pem_root_certs? Some of the examples appear to have something, but then others don't. Or is that field only used when I am setting the SSL options for a client?
Thanks,
Todd
Arpit Baldeva
Apr 25, 2018, 6:30:21 PM4/25/18
to grpc.io
I think sslOps.pem_root_certs is only required if your client is using client cert auth.
>>so unfortunately I don't know exactly what it does. But I did have to copy my root cert over to the client device
Without knowing much about what your client does or if it actually loads the right root cert, it'd be difficult to diagnose the issue. May be some grpc SSL/network expert can chime in here and provide some way of obtaining more info on the server.
Reply all
Reply to author
Forward
0 new messages