How to set TLS SNI, aka hostname to send during client hello handshake in C++/Python.

[yangc...@gmail.com]

How to set the TLS/SNI (https://en.wikipedia.org/wiki/Server_Name_Indication) in the the Python/C++ gRPC client API?

In other word, what's the equivalent of setting the `-servername` in `openssl s_client`?

I have verified my TLS server works by using the correct flags on `openssl s_client`:

```sh

 openssl s_client -connect "myserver.tunnel.dev:4443" -servername "myserver.tunnel.dev" 

```

However, I wasn't able to setup the credentials correct with the Python /C++ API:

```python

    uri = "myserver.tunnel.dev:4443"

    hostname = "myserver.tunnel.dev"

    creds = grpc.ssl_channel_credentials(

        root_certificates=dev_cert)

        # root_certificates=certificate_chain)

        # certificate_chain=certificate_chain)

    channel = grpc.secure_channel(uri, creds,

        options=(('grpc.ssl_target_name_override', hostname),)

    )

# This throws

```python

grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with (StatusCode.UNAVAILABLE, Connect Failed)>

```

```

[jian...@google.com]

In grpc c core and wrapped languages, the only way to set SNI is to use GRPC_SSL_TARGET_NAME_OVERRIDE_ARG.

See https://github.com/grpc/grpc/blob/master/test/core/end2end/h2_ssl_cert_test.cc#L176 for example.

Not sure about this python error though.

[Eric Anderson]

Jiangtao, if it's the case you must use the override to enable SNI, that's a bug that needs to be fixed. We should be enabling SNI just by the target string (so from the uri, "myserver.tunnel.dev" in the example).

However, even if you do need to use the override, the code linked does use the override. GRPC_SSL_TARGET_NAME_OVERRIDE_ARG is grpc.ssl_target_name_override.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/b763a855-06b5-4c96-9a8d-2aca2b314802%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jiangtao Li]

+Mehrdad,

Could you please reproduce? 

In tsi_ssl_client_handshaker_factory_create_handshaker(), do a debug log on server_name_indication parameter. If this value is not set, I suspect something is wrong with plumbing from python to c core to tsi.

If this value is set, it could be a bug in TSI, I will take a look then.

Thanks,

Jiangtao

[Eric Anderson]

I've been able to reproduce that you must have the override for SNI to work using the gcr.io/grpc-testing/grpc_interop_python:v1.15.0 image. Our interop tests that require SNI are passing --server_host_override=grpc-test.sandbox.googleapis.com, which should not be necessary. I've filed https://github.com/grpc/grpc/issues/16759 .

As part of that, I did verify (including with wireshark) that specifying the override uses SNI.

[Eric Anderson]

Oh, and I should mention that the python interop client I tested did use grpc.ssl_target_name_override for the override:

https://github.com/grpc/grpc/blob/v1.15.1/src/python/grpcio_tests/tests/interop/client.py#L103-L106

[jian...@google.com]

I am confused why you need SNI in this case. You uri is the hostname with port.

You can just use

  channel = grpc.secure_channel(uri, creds) 

without SNI. It should work. The reason is that uri will be plumbed to grpc core. When grpc checks server hostname in grpc_ssl_host_matches_name(), the port will be stripped. You don't need to set SNI to do so. In fact, you don't need to set anything, your uri will be used as server hostname.

Back to the failure, we need to reproduce and see why it fails.

Eric: the reproduction using interop-test is not right, since interop-test will force SNI to a default hostname_override values. 

On Thursday, September 20, 2018 at 5:55:52 PM UTC-7, yangc...@gmail.com wrote: