gRPC C++ Client sends unencrypted data in spite of SslCredentials

[Malte Isberner]

Hi,

I'm using the gRPC C++ client library (v1.28.1) to talk to a Go HTTP/2 server. I saw "connection reset by pear" on the client a bunch, and no logs on the server (with GODEBUG=http2debug=2 and the maximum Go gRPC log levels - Info and verbosity 99). So I did the following test:

- On a pod in the Kubernetes cluster, run `socat TCP-LISTEN:8080 -`

- Set the gRPC server IP on the client to <pod IP>:8080

To my surprise, not only did I see incoming connections, but even plaintext contents (HTTP headers, method names, etc.). This seems like a severe bug to me - regardless of whether I'm doing something wrong setting up the channel, under no circumstances should a client send any data over a non-TLS connection when TLS is requested. I can try to create a minimal example tomorrow, but the relevant setup logs are here: https://gist.github.com/misberner/8344ae1def9bf2e9619438bb4a6fd44d As you can see, the credentials get loaded OK and a secure channel is created. Also, egrep -i [ui]nsecure on the client logs comes back empty.

I am using static gRPC libraries, which have been built with:

git submodule update --init
mkdir -p cmake/build
cd cmake/build
cmake \
    -DgRPC_CARES_PROVIDER=package \
    -DgRPC_PROTOBUF_PROVIDER=package \
    -DgRPC_SSL_PROVIDER=package \
    -DCMAKE_BUILD_TYPE=Release \
    -DgRPC_INSTALL=ON \
    -DCMAKE_INSTALL_PREFIX=/usr/local \
    ../..
make
make install

I'm using libssl-dev installed via apt-get in a debian:stable Docker image and linking with -lssl -lcrypto.

Any help would be much appreciated!

[Zhen Lian]

Can you please share the example you created please? From the log itself, it is very hard to tell where the problem is. We could find more clues if you can provide how you setup gRPC. Thanks!