PHP and Python client fails SSL connection

[jis...@wepay.com]

Hello,

We are currently facing an issue with trying to connect our PHP gRPC client with SSL to our Java gRPC server. The gRPC service we are trying to connect to is running on a service mesh (linkerd/namerd), and the call first hits a linkerd instance that routes to the service.

When we run a Java client using the trusted certificate, it is able to connect to the server; however, with a Python and PHP client, the SSL connection fails even with the same cert.

Java client code:

ManagedChannel channel = NettyChannelBuilder.forAddress(host, port)
                                            .overrideAuthority(‘cert-common-name’)
                                            .sslContext(GrpcSslContexts.forClient().trustManager(new File(‘path/to/cert’)).build())
                                            .build();

Python code:

credentials = grpc.ssl_channel_credentials(open(‘path/to/cert’).read())
channel = grpc.secure_channel(host + str(port), credentials, options=(('grpc.default_authority', ‘cert-common-name’,),))

PHP code:

$channel_credentials = \Grpc\ChannelCredentials::createSsl(file_get_contents(‘path/to/cert’));
$channel = new \Grpc\Channel($hostname,
    [
        'grpc_target_persist_bound' => 2,
        'grpc.default_authority' => ‘cert-common-name’,
        'credentials' => $channel_credentials
    ]);

We are interested in fixing the problem for PHP at the moment. Our PHP client runs in a CentOS 7 docker container with nginx + php-fpm.

We have tried to make the OS trust the certificate by using update-ca-trust. Running openssl s_client -connect host:port returns:

verify error:num=2:unable to get issuer certificate

We receive the following error when calling the server with the created client for PHP:

ssl_transport_security.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

With the gRPC logs, we can see that the connection fails when it tries to call the security handshake.

We are not sure why the Java client is able to connect to the server while the PHP and Python clients cannot with the same cert.

Has anyone ran into these issues before? It would be helpful if anyone has some information on this as this is currently a high priority blocker for us.

Thank you.

[Stanley Cheung]

Did you try supplying the "grpc.ssl_target_name_override" key to the options?

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/ce0546a9-8a0e-41b1-9f0d-25ff2a415d8b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[jis...@wepay.com]

Yes, we have tried to use that option but does not change anything. Here are the grpc version we are using.

For PHP we are using the packages php56-php-pecl-grpc (version 1.17.0) and php56-php-pecl-protobuf (version 3.6.1) and openssl (version 1.0.2k-fips). The Java dropwizard-grpc version for the server is 1.1.3-1. The Java grpc-netty, grpc-protobuf, and grpc-stub versions for the Java client is 1.13.1.

[Srini Polavarapu]

You are very likely running into this issue. This fix will be available in gRPC release 1.19.0. You can try nightly pkgs from https://packages.grpc.io/ or wait for 1.19 RC coming out early next week.

[jis...@wepay.com]

Srini, thanks for the reply. I tried again with the latest changes and it works!