(C#, Objc) Diagnosing SSL issues

[Rob Cecil]

I have an existing implementation of a c#-based Grpc server (running on Windows 10 Server), and iOS/Objc-based grpc client and I can successfully connect, login, make calls, etc. My issue is switching from nonsecure to SSL, using the same network Name & port, etc.

I'm using self-signed server certificates, and I distribute the CA Cert that I created for my org to the test iOS device (via email) and install the Profile and make sure it is valid and activated in iOS Settings.

When I enable SSL in the client and server, I cannot connect. There is no discernable error on either side. The connect aborts right away.

I am following roughly the same steps here to initialize and start the C# Server:

https://stackoverflow.com/questions/37714558/how-to-enable-server-side-ssl-for-grpc

Here's my relevant code snippet:

            ServerCredentials credentials = ServerCredentials.Insecure;

            if (cfg.UseSSL)

            {

                var cacert = File.ReadAllText(cfg.CACertLocation);

                var servercert = File.ReadAllText(cfg.ServerCertLocation);

                var serverkey = File.ReadAllText(cfg.ServerKeyLocation);

                var keypair = new KeyCertificatePair(servercert, serverkey);

                credentials = new SslServerCredentials(new List<KeyCertificatePair> { keypair }, cacert, false);

            }

            var server = new Server

            {

                Services =

                {

                    BackendService.BindService(wanderBackendServiceImpl),

                    ManagementService.BindService(management)

                },

                Ports = { { hostAddress, port, credentials } }

            };

            

            server.Start();

On the iOS side, it simply a matter of not turning on Insecure mode on the relevant Grpc class (i.e. by default SSL is enabled). 

I am not using Mutual SSL/TLS - the client should just attempt to validate the server certificate using CA cert it has been signed with (both server & CA are created internally at my org).

How do I diagnose my problem? I've been looking at:

https://github.com/grpc/grpc/blob/master/TROUBLESHOOTING.md

But I am not sure where such log information would be by default generated. Event Log? 

Thanks!

[David Cowden]

grpc bundles openssl (boringssl) and ships with its own roots.pem. It does not use the system store on iOS. You can either manually add your CA certificate to that file at `pod install`/`pod update` time or, preferably, configure grpc to use your in-house CA when you create the GRPCCall via https://github.com/grpc/grpc/blob/36b47ce0de60754cf14258e15d25dd2d1bb5abe0/src/objective-c/GRPCClient/GRPCCall%2BChannelCredentials.h#L24

GRPC_TRACE=all will surface some errors that you can use. They show up in the log in Xcode if you have All Output selected.

David

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/1b700a9b-edba-4212-95da-03c0c35c634d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rob Cecil]

Thanks David,

I am switched my iOS code to calling setTLSPEMRootCerts( certStringData, forHost: myHostName). From what I can see everything is set up correctly.

But I get:

E0423 16:45:55.527496000 123145544478720 ssl_transport_security.cc:1233] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.

E0423 16:46:00.529906000 123145543942144 ssl_transport_security.cc:1233] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.

E0423 16:46:05.530279000 123145544478720 ssl_transport_security.cc:1233] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.

E0423 16:46:10.533879000 123145543942144 ssl_transport_security.cc:1233] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.

E0423 16:46:15.537614000 123145543942144 ssl_transport_security.cc:1233] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.

E0423 16:46:25.543934000 123145543942144 ssl_transport_security.cc:1233] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.

E0423 16:46:40.549839000 123145544478720 ssl_transport_security.cc:1233] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.

To unsubscribe from this group and stop receiving emails from it, send an email to grp...@googlegroups.com.

[Rob Cecil]

Using on iOS: gRPC version 1.18.0, ProtoCompiler 3.6.0, BoringSSL-GRPC 0.0.2

[Rob Cecil]

On the server I am using Grpc 1.19.  Not sure that could cause the handshake issue.

[David Cowden]

Have you seen: https://github.com/grpc/grpc/issues/9538? Make sure you're using a secure channel on the client. If you believe you are, perhaps double check that the CA data you're giving setTLSPEMroots is PEM-formatted DER-encoded pkcs12. If openssl does not understand the data perhaps the channel is acting like an insecure one?

David

To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.

To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.

To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/b40f894a-7383-453a-a939-e117e61f8dfe%40googlegroups.com.

[Rob Cecil]

Thanks David.

It turned out I was still using an IP address after I reset some UI state when I thought I was using a hostname for the server.

THANKS