Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL

[sku...@gmail.com]

Hi,

I am trying to setup a gRPC client and server example on WSL with SSL (server authentication only)

I created the following files (following this tutorial: https://jsherz.com/grpc/node/nodejs/mutual/authentication/ssl/2017/10/27/grpc-node-with-mutual-auth.html)

my_root_cert.crt

-----BEGIN CERTIFICATE-----

MIIEgDCCAmigAwIBAgIQBSsnVXC24hhmdgVV6NlFXzANBgkqhkiG9w0BAQsFADA3

MRcwFQYDVQQKEw5FbnJpY2htZW50IEluYzEcMBoGA1UEAxMTRW5yaWNobWVudCBz

ZXJ2aWNlczAeFw0xODEwMTcwODE2MjVaFw0yMDA0MTcwODEwMTFaMCUxIzAhBgNV

BAMTGkxULTgyMDRQVC5jZWxsZWJyaXRlLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEF

AAOCAQ8AMIIBCgKCAQEAuk+HpXl6WE7oYm+AfgRqPWDc4MWCErax7LmFXXQXuh9x

a6Rv7fa/Vu7v31mQhdrFIcQu8DW/4q9jkGTYp4mUsmA7TapWhWDtN1GCr+gHeUYN

oFwXP3pki9BWWCR4lrCNeInSpDzTn71eymyfItUcWYHWcm4uM/hQ03/KpXtDzdHr

IQPDH6QmNFi8ulfyv6Urr/DOC9QHazgYnShHPJMEnUXv05vP0lAT30qR/9yaTcke

XI+332G+38iivLNp1ESWh+u+uMm1Yf/cz/Ai1rCPdTct/br1bl2LWm1vz6vI176W

93oHCOOcAW+/Hf/11F/KvtlVBoZ0Tl6e7d++tDnG9wIDAQABo4GZMIGWMA4GA1Ud

DwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0O

BBYEFP/stlJSMQ0Pf1I8RFZ9jMNFqbmlMB8GA1UdIwQYMBaAFMKTZ5z5ZU9uSurP

Lqi1Yfnfi4gfMCUGA1UdEQQeMByCGkxULTgyMDRQVC5jZWxsZWJyaXRlLmxvY2Fs

MA0GCSqGSIb3DQEBCwUAA4ICAQAEdZ5+RvPfg46DypZx3pctlWa4r2yFln8gzwyW

Xq6VaK29jkFNlbchOXkFrhtOWIskZLmmNhLOCWHDgvleclt96kHxjr4tAC8S6rRb

sjTSnhkIFOQYSGvBDTTuvNb371zl5kXlnCFntvpOh4PxTmzlyb1TdnZXUYWSDuDl

eL5KBeFCoZhzsohZB+LTsOeRfYR86koMSpZKZcg5NxQfjdni7WMPti956jITOKm/

FVh57HWMZWe587gtvK9Ntm29j4uiX6skpgprHgHwzBnfYIiyCWRneu2IZ7oJjeU1

s+IsskYpNLx/9tyV3PHcbcslvxDsV8SntW6Ds5kIc/qtgBqv2cmAc4fECTEJdJLP

7aMBhq3nKTEQoogy0VgNUKrQG66y0x467epiHtMO6doxCEt0wcvH/Z4ou4Vm9MtL

dXpJ4a60Vqpd1Da3WuyNFP0YeINeDjgREJHEIkdwpbm86RkxgZtQM2C7lsB3A4rg

H2ql7nvx3YXQOqcdWk+OwB6f70nvEm8Ph1U/qeLPchB4YnzQ670nDRjY4boKaZ1g

hZKdD/J6j9Aua7F2NhCvzFlgKEALZbhPzzy+XwYZWf+oF2OB+rVA462g6ULWplkd

70Nb+hecRqp8y4D1qn1bcZftfsAxhv73Myb+fwUBnhWNKTFpW5HSTZYY0qx5zOf1

rlGphw==

-----END CERTIFICATE-----

my_private.key (private_key)

-----BEGIN RSA PRIVATE KEY-----

MIIJKQIBAAKCAgEAzcgKxU9Xss9Lup0atVdCrRAn/W/mAyVpSZrlRWdO9/Rk4GuN

MehNNaCUrux+UQ8kUJn8S9+PBHW1SSG/IkRazfnk9Y9ThlIQiU3PNVbY9cHwXwf1

kTtMe7jo58B1vY4MM4Llu311WQ74ru4voElyupZh7m8wlbEIhqNZAuZ2733wgntv

kX0EXVb1wKdnQDCX+aDwti6KEIyI04dMdlpJ+cwkJnXTErwCdePF26lx8Lw3SNji

WLiiQJewBJQ5qDmeOL/5dDXu4cf/6kp/wPrQaKUEAtw8gK90QJJR9trO2GiWalhI

b+oHA+eLsOultqk3ZlQ0l84QKtwUkDnPpR4PK5yI+ykBZXSuFX0eyM0vOIf65I3e

UxIfKGm3f4Xh0gn2hRCFvVQ/wNUdsTi+itn9JipzzPK/OtI7+pkLi/mEdb6uD+50

9Y/icnVope3KNsYqAfg0KNiv5l5gBzEISvRbwm4IEQ/4QjyBAPac19LoI1scECv4

imyD/R3/7bxdbsTPJwg+wdyevGB1SU0D2DtopM8qR62lqzcJLaeZXIq1U5TYqwFu

CsEjs8ZKiTe+2NiFpCFvPtZha4ulUt2sdk8h/d07VZW92i1EnkeKyRTVo0TLkU0m

v46/bFH5VkoruAJFsuNPucdK35s6yPFgH2/Xtql7VL3ZRNGapjsukf6uHPUCAwEA

AQKCAgEAnKKhODE9wvixXxnIw7HpKcx7dBkhztFCRGmoDN0nKewYgQ68yflWE/To

WAHh4JeS/9tGRQalWTKzzDfowg+fwtttYVE4taxvs+PLToGN4fs+mUd4r5Sgkihc

+FLyDFg8h1Uiw0Uq9qBDwPvCutJNhyOC5bgzFi5MHBfoYCHG9GM7mEaW1PqBQP85

Tuzd1elnNPdBYpsoMpKWb9Sz6f6uAntWJQRYpxD/GndHGv3uodzShBu6pufbcSlF

LScagCdjfTT7j26iJ7BR5yfP+LexvYWl+Ptk/lsPNTtrMmi5O9bYb5hFgxJzRpCQ

Lxof6FsDtVtxMQAEJGujJ2kp2jh4OE630b/yrHdhfXiBCnvnaZZatr8x5QwTS7d8

6AF2/CGmbnKe5CfJ4ry99EQrIhUNk19l+De2lk5hDHldm+8A5zJVKzPEcj7wU/sC

jXDS3orDcECBr2bqWp0pLHPy+SQcerPsnpD+1pxsPPuJhOdpLRTNk99umhojiWdw

i17EjR9qKE1aFSfBCu7DloVD0bF9+nDLmVT2P9oZAchRI8Qd/o93K+FUTKpbybyQ

D7YVb3CDnshtCV2DfyeVibVnoJOdEuY72/KF5qbphBpH/NSL5RgJ90n3Xo+x8qyd

2GjapwdOYRSWuJRaqlD4pPeWRs/A5NXSJi9cfGoRL5aW+T18feECggEBANV3xf9a

kFsoms10Sg+OSU15mhcvPkLkqnMiiqjGGWtjGT9H5PuFjTvBY36f0rlWADLvSPyz

oNuV3JaMhAFpjYUQzFXOtbm/CejjzQdn8ZLW6WtMA4e8buy/w9Xek0XgZXsvNAg1

U2OWKXH0qUN0GtVc2smo6dy+uy6L7LkNc+QDWopBzDdZf8r/k1dRI7iU5zSo/Bo6

f04d3AYf5QGTmBosJYkXppzk/TRc7/O7jjr5Ta0zF3lE9sdSsdrCCNFb5jgJafuu

8Is5li49jbQ2IxXgPVvHqVW4RebcV6IcXavmNnUUYENDr7bLqAWdsKhu7kF0L3f7

FyHJrMHvjzwbqskCggEBAPbINeMx6uTpDrktf/O+ecsmBB9Y+9k6hh5mxdq/aZDd

rYeiZ2hSm7haZQEXPa04S0Z0CgqWw/ucCgOdUUdprzWiomGKcKdBn/cro4mauoFQ

DXs9BBhQBWRbNNe9jIR9g6aOW3wsoS+4+qwU/98fxD0g5jHznclge0c7ny8LygYF

T/dhAv/XM79zX9Vdr88H69ELsGRzC28bOECYwU8kxFL109CSoNjxljj0NlGSARUC

2ZzIQ2lMxhRzy1a7U/7KA/vYw7sY+vbLQOYPZ0WqxvIwbltJ2URSBrylCel9ehKa

/hIDrIMSgnBx/hHWE0IaGqkNlgLJYWMJTD2QxYPGis0CggEAcRwj9+he8U6UqCTk

UVXNlZXHhl1sGjnb72HwIvnE4lgCOru3o2birTUNqTy6haYCOPr9q5jqtS+1ULho

Ae+SI14BR75eIGwPri12qGP1Zx8lU8tVW4kHJb9+30Yutynt29XpNig7ZVtd3poL

TkipJ0EqVQyBzovp1wIhjvSH4du9D+FJelKcGk5OHkhKKzYLRKX930/7wMKloUEp

MSqpv8SApyG3EQ9s82ADbRyGgs0y0YFvAL0AHiG9R/LkhTqyxCKI2+mYX81FvH61

JTZCZQcKvCURnvAjae57KNTq9XjohiUj1MB6zNsgzsj9oGIXMOuFc4fCfA7G0YRE

W081sQKCAQAnTQkv7nIvFGKQ4QsggTQaQyqi52PsW2KiktFtndAtDvCkyhtXxNgh

ytuNCet7m5x5Ut+Kgioh9t6tZq9cBRuvGgBsMkTwjgXwshVwQ6DyGRKcjsIJMS06

pz/KH9ix/N8rdj5hjyX4WKgrIYkCOqfg6E1gpSB6wo+/b2JRdrosrUnn5p44qkgG

dFRNwYbPHL7UYt0rkhq/DgGuX+VhOkS9xYJ/E+rjwc2fsly4Lt1XQEXxrv71VRGy

jiJS5LBiwj9SK1o4gKjvBr2GJevXb3QRe98HUMJ2G+4QuuPSOHZpYh+WNNmTYi49

xBmnM4WLoGagh5ZdST7mK8Plhhm+e679AoIBAQCFZY8hDyEemsHqnzPlkuvG+bBD

RD5QJ9epemDYm78SzDXZ2L1y+luNZVE0XlqXyEXe6z5qcZfa+o7BOLZIXH7qASXf

pGewHjcfPAzWpgYCNCkADbDtLWAhFg3fotGvRYj5n0cqVAmGqZBGsva4mEHA7jn5

/ra+FPZgKB1UapLrQ9ZxYPNZ9kD3UavTr8U+uWNV1PnOXSyjREyT9LO5N4HJQBEt

IbYf2GHcpAmghq5nxvPTGi9kwhjBhmjyYskMI+yAbWmqBpZ3+2n5Sx9fCnRyQlBx

emU9U0u2Q4S9m58SQAS8nso0WEO1qTR2bAwKTTSROqKeP0SPiLftRMJL8Hnu

-----END RSA PRIVATE KEY-----

my_crt.crt (cert_chain)

-----BEGIN CERTIFICATE-----

MIIFLjCCAxagAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRcwFQYDVQQKEw5FbnJp

Y2htZW50IEluYzEcMBoGA1UEAxMTRW5yaWNobWVudCBzZXJ2aWNlczAeFw0xODEw

MTcwODEwMTJaFw0yMDA0MTcwODEwMTJaMDcxFzAVBgNVBAoTDkVucmljaG1lbnQg

SW5jMRwwGgYDVQQDExNFbnJpY2htZW50IHNlcnZpY2VzMIICIjANBgkqhkiG9w0B

AQEFAAOCAg8AMIICCgKCAgEAzcgKxU9Xss9Lup0atVdCrRAn/W/mAyVpSZrlRWdO

9/Rk4GuNMehNNaCUrux+UQ8kUJn8S9+PBHW1SSG/IkRazfnk9Y9ThlIQiU3PNVbY

9cHwXwf1kTtMe7jo58B1vY4MM4Llu311WQ74ru4voElyupZh7m8wlbEIhqNZAuZ2

733wgntvkX0EXVb1wKdnQDCX+aDwti6KEIyI04dMdlpJ+cwkJnXTErwCdePF26lx

8Lw3SNjiWLiiQJewBJQ5qDmeOL/5dDXu4cf/6kp/wPrQaKUEAtw8gK90QJJR9trO

2GiWalhIb+oHA+eLsOultqk3ZlQ0l84QKtwUkDnPpR4PK5yI+ykBZXSuFX0eyM0v

OIf65I3eUxIfKGm3f4Xh0gn2hRCFvVQ/wNUdsTi+itn9JipzzPK/OtI7+pkLi/mE

db6uD+509Y/icnVope3KNsYqAfg0KNiv5l5gBzEISvRbwm4IEQ/4QjyBAPac19Lo

I1scECv4imyD/R3/7bxdbsTPJwg+wdyevGB1SU0D2DtopM8qR62lqzcJLaeZXIq1

U5TYqwFuCsEjs8ZKiTe+2NiFpCFvPtZha4ulUt2sdk8h/d07VZW92i1EnkeKyRTV

o0TLkU0mv46/bFH5VkoruAJFsuNPucdK35s6yPFgH2/Xtql7VL3ZRNGapjsukf6u

HPUCAwEAAaNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw

HQYDVR0OBBYEFMKTZ5z5ZU9uSurPLqi1Yfnfi4gfMA0GCSqGSIb3DQEBCwUAA4IC

AQCZicw1L1DK5OEBofVSTKXdAWZnCzVguFl0veNeIk6kvXZjoRB70tssUAOA374O

rIcPq0XXw0kO26m51pnEK2LK4iBlmY4bGWxVNnyh860bzISUunSA1Bw95rSU366V

1+hVo8sESnJdq6B/miQwsasF0Bd8EDvN9LRFgnw5ModsjRK9soz2BQLPd1row7Gy

lh73OEaKvNmcqN8mygC7uPVztQvbNM7Wb/oIpNIhVvgVqs0j0Yhbn693Ig7k/uuD

zJCF0O34AMbMoHDAdigDyymdcR+TJtroaTnM7w6wquVQIWzGmmY3ix3TUD5YBCWV

7xVY7X4kXKAkHc/hodA1DH9xgpJyW5Dc7TtDajPPYsOuxFZGJXtdOaIIiL7KbVU8

Y8oeQi5OPNsouqXBm4i6r5t0BjNx5zRIgvNioKpgdcQsSQvlWLqDfCiOoQgcB/E+

1ZR5SH9SLMH+2CSRnCui1TyxJW4yTzVCOkQEWSa1u/67uuzg1y6ouqk3kZGP6Wwg

t3qdFM9sD0Pl/C4qVc9iqdyqIMXSDD4pOLEqyZ7J6V7yg4JCI7gRktGPpcqoHD29

78+nsmYxgbdDQ8YxV+UKNxP9ocWYmjh0RMTAvO9J71gVNY4GzWLytKqfci2hb3+v

/vxB0XOqSX7RrmN6eryAHgwFtbTp13SZDAtMxxwbYQYH6Q==

-----END CERTIFICATE-----

And I use them as follows:

Server Code

server.bind('0.0.0.0:50051', grpc.ServerCredentials.createSsl(

Buffer.from(fs.readFileSync(my_root_cert.crt"))),

[{

private_key: Buffer.from(fs.readFileSync(my_private.key"))),

cert_chain: Buffer.from(fs.readFileSync(my_crt.crt")))

}],

false));

server.start();

Client Code

var client = new hello_proto.Greeter('localhost:50051', grpc.credentials.createSsl(

Buffer.from(fs.readFileSync(my_root_cert.crt")))

));

Result running the client

E1017 16:17:10.176686000   11891 ssl_transport_security.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.

Server error after client made the request

I1017 17:06:18.330876700   11925 tcp_custom.cc:217]          write complete on 0x2d90750: error="No Error"

I1017 17:06:18.331029000   11925 resource_quota.cc:873]      RQ anonymous_pool_2d8e8d0 ipv4:127.0.0.1:60074: alloc 8192; free_pool -> 0

I1017 17:06:18.331222900   11925 tcp_custom.cc:174]          TCP:0x2d90750 read_allocation_done: "No Error"

I1017 17:06:18.331411000   11925 tcp_custom.cc:191]          Initiating read on 0x2d90750: error="No Error"

I1017 17:06:18.331593800   11925 completion_queue.cc:954]    grpc_completion_queue_next(cq=0x2d9d220, deadline=gpr_timespec { tv_sec: -9223372036854775808, tv_nsec: 0, clock_type: 0 }, reserved=(nil))

I1017 17:06:18.331740200   11925 completion_queue.cc:1054]   RETURN_EVENT[0x2d9d220]: QUEUE_TIMEOUT

I1017 17:06:18.332470400   11925 resource_quota.cc:896]      RQ anonymous_pool_2d8e8d0 ipv4:127.0.0.1:60074: free 8192; free_pool -> 8192

I1017 17:06:18.332555800   11925 tcp_custom.cc:128]          TCP:0x2d90750 call_cb 0x2dce3c0 0x7f5d07b63a30:0x2dce1f0

I1017 17:06:18.332633300   11925 tcp_custom.cc:132]          read: error={"created":"@1539785178.332456900","description":"EOF","file":"../deps/grpc/src/core/lib/iomgr/tcp_uv.cc","file_line":107}

D1017 17:06:18.332712400   11925 security_handshaker.cc:129] Security handshake failed: {"created":"@1539785178.332702700","description":"Handshake read failed","file":"../deps/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":321,"referenced_errors":[{"created":"@1539785178.332456900","description":"EOF","file":"../deps/grpc/src/core/lib/iomgr/tcp_uv.cc","file_line":107}]}

I1017 17:06:18.332782200   11925 tcp_custom.cc:286]          TCP 0x2d90750 shutdown why={"created":"@1539785178.332702700","description":"Handshake read failed","file":"../deps/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":321,"referenced_errors":[{"created":"@1539785178.332456900","description":"EOF","file":"../deps/grpc/src/core/lib/iomgr/tcp_uv.cc","file_line":107}]}

I1017 17:06:18.332864100   11925 handshaker.cc:212]          handshake_manager 0x2d92650: error={"created":"@1539785178.332702700","description":"Handshake read failed","file":"../deps/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":321,"referenced_errors":[{"created":"@1539785178.332456900","description":"EOF","file":"../deps/grpc/src/core/lib/iomgr/tcp_uv.cc","file_line":107}]} shutdown=0 index=1, args={endpoint=(nil), args=(nil) {size=0: (null)}, read_buffer=(nil) (length=0), exit_early=0}

I1017 17:06:18.333795500   11925 handshaker.cc:245]          handshake_manager 0x2d92650: handshaking complete -- scheduling on_handshake_done with error={"created":"@1539785178.332702700","description":"Handshake read failed","file":"../deps/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":321,"referenced_errors":[{"created":"@1539785178.332456900","description":"EOF","file":"../deps/grpc/src/core/lib/iomgr/tcp_uv.cc","file_line":107}]}

D1017 17:06:18.333917300   11925 chttp2_server.cc:113]       Handshaking failed: {"created":"@1539785178.332702700","description":"Handshake read failed","file":"../deps/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":321,"referenced_errors":[{"created":"@1539785178.332456900","description":"EOF","file":"../deps/grpc/src/core/lib/iomgr/tcp_uv.cc","file_line":107}]}

I1017 17:06:18.334201900   11925 resource_quota.cc:532]      RU shutdown 0x2d916c0

I1017 17:06:18.334281900   11925 completion_queue.cc:954]    grpc_completion_queue_next(cq=0x2d9d220, deadline=gpr_timespec { tv_sec: -9223372036854775808, tv_nsec: 0, clock_type: 0 }, reserved=(nil))

I1017 17:06:18.334347300   11925 completion_queue.cc:1054]   RETURN_EVENT[0x2d9d220]: QUEUE_TIMEOUT

Any idea why the handshake fails?

[Carl Mastrangelo]

Two immediate questions;:  

Did you swap the order of the root cert and the my_cert?   When I used openssl verify I had to swap the order.  Normally I would call the CA cert the root.  I think you need to rename the two certs to each other.

The authority you connect to in your client needs to match the authority in the cert.  You are trying to connect to "localhost", but the cert is for "LT-8204PT.cellebrite.local".  They have to match.  You can either add a dns entry in your hosts file to point LT-8204PT.cellebrite.local to 127.0.0.1, or you can regenerate the cert for localhost. 

[sku...@gmail.com]

Thanks.

I have recreated the certificates and the handshake pass successfully