Need Help for setting ssl connection C++

[Chaitanya Gangwar]

Hi,

I want to setup a ssl based connection between server and client. But it is failing in handshake. Below are my code changes. Can anybody please help what i am missing here.

Error :
On Server Side:
E0209 14:35:29.561829549   31835 ssl_transport_security.c:1221] No match found for server name: 127.0.0.1.

On client Side:
E0209 14:35:29.573967763   31850 security_connector.c:496]   Peer name 127.0.0.1 is not in peer certificate
E0209 14:35:29.574000838   31850 handshake.c:129]            Error checking peer.
E0209 14:35:29.574008068   31850 secure_channel_create.c:102] Secure handshake failed with error 1.

Server :
std::string server_address("0.0.0.0:50051");

  grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp = {key, cert};

  grpc::SslServerCredentialsOptions ssl_opts;
  ssl_opts.pem_root_certs = "";
  ssl_opts.pem_key_cert_pairs.push_back(pkcp);

  builder.AddListeningPort(server_address, grpc::SslServerCredentials(ssl_opts));

Client :
grpc::SslCredentialsOptions ssl_opts;
  ssl_opts.pem_root_certs = cert;

  GreeterClient greeter(
      grpc::CreateChannel("127.0.0.1:50051", grpc::SslCredentials(ssl_opts)));


Thanks
Chaitanya

[Yang Gao]

Assuming everything else is correct, you may need to do this: https://github.com/grpc/grpc/blob/master/test/cpp/util/create_test_channel.cc#L71 to tell grpc the server's name from the certificate (like www.example.com). Otherwise grpc will just try to find whether your server's cert has 127.0.0.1 in it and complains if not.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscribe@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/23cee0af-025e-4671-9866-333019c1fafb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Chaitanya Gangwar]

Hi Yang,

Sorry i am not able to understand what do you mean by "server name from the certificate". I have generated key and certificate using openssl library. My server is running on a unix box and on the same box i am running client, so in client code i am passing "localhost" as server ip. Does certificate contain server name ? Sorry if my question is too naive.

Thanks
Chaitanya

To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.

[Michael Larson]

the domain name you access has to match what's in the cert.  you can use a hosts file entry to fake it for testing

To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/27428628-2240-411f-ad78-6afe5e182b78%40googlegroups.com.

[Chaitanya Gangwar]

thanks a lot. Its working now. :)

[smpo...@gmail.com]

I am getting error as 

      In Server: "16437 ssl_transport_security.c:1288] No match found for server name: 0.0.0.0."

      In Client: "security_connector.c:532]   Peer name 0.0.0.0 is not in peer certificate"

How to configure this IP or hostname(localhost) in certificate? 

I have checked in grpc as well as in  https://github.com/CJLove/grpc-playground/blob/master/certs/create.sh

Both are giving same error. Please help me.

[ankitba...@gmail.com]

Hi Chaitanya,

I am trying to do similar thing,and facing the same error. Can you please let me know how you resolved this issue?

Thanks!

On Wednesday, February 10, 2016 at 5:02:14 AM UTC+5:30, Chaitanya Gangwar wrote:

[chaitanya gangwar]

Hi Ankit,

Which library you are using to generate the certificates ? Actually while creating the certificates, it ask for company name and few more details, you need to fill these entries according to your requirement.

Let me know if you still face any issue.

Thanks

Chaitanya

[ankitba...@gmail.com]

Hi Chaitanya,

Thanks for replying.

I am using openssl to generate the certificates. Command which I am using :

openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -out server.crt

While generating the certificates, I am giving company name , email id ,etc.(though I am not sure on what basis I need to enter these details). And my client and server are running on same ubuntu machine.Still I am getting the following error on server side whenever client tries to connect :

E0524 12:10:59.288146095   19481 ssl_transport_security.c:1286] No match found for server name: localhost.

E0524 12:10:59.288177434   19481 ssl_transport_security.c:947] Handshake failed with fatal error SSL_ERROR_SSL: error:100000b8:SSL routines:OPENSSL_internal:NO_SHARED_CIPHER.

E0524 12:10:59.288199327   19481 chttp2_server.c:83]         Handshaking failed: {"created":"@1495608059.288182792","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":274,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}

Thanks,

Ankit

[Vijay Pai]

Hi there,

Please see the message earlier in this thread from Michael Larson: "the domain name you access has to match what's in the cert.  you can use a hosts file entry to fake it for testing"

The issue is that your cert hostname is not matching your target hostname (localhost in this case) and so it is assumed to be invalid. This is a general cert issue, not a gRPC issue. If you do a search for [certificate hostname does not match] you will get many hits about this issue in many contexts.

- Vijay