grpc client with TLS on macOS
362 views
Skip to first unread message
Dmitriy Bashkalin
Dec 24, 2021, 2:54:36 AM12/24/21
to grpc.io
Hello!
I'm trying to create c++ GRPC client (1.37.0) which work on macOS(Big Sur/Monterey on intel/m1) with TLS server verification. On windows similar client code works just fine. But on macOS I always get "TRANSIENT_FAILURE" on channel state. On server side there is "ssl handshake error".
I found that there is a problem with HTTP/2 over TLS.
Is the insecure endpoint the only possible solution on macOS?
I'm trying to create c++ GRPC client (1.37.0) which work on macOS(Big Sur/Monterey on intel/m1) with TLS server verification. On windows similar client code works just fine. But on macOS I always get "TRANSIENT_FAILURE" on channel state. On server side there is "ssl handshake error".
I found that there is a problem with HTTP/2 over TLS.
Is the insecure endpoint the only possible solution on macOS?
Thx for your time & help.
Zhen Lian
Dec 29, 2021, 6:56:11 PM12/29/21
to grpc.io
Thanks for raising the issue!
I am still not sure the root cause of this problem. Is it possible to share the error logs on both sides?
And another question: in your client code, did you explicitly specify your root certificates? To enable TLS, client side needs to specify the root certs. On some systems, if such root certs are not specified, we will load the root certs from a default location, but it looks like on Mac it is not the case. I am guessing that might be the cause of the problem. Can you please double-check that?
Dmitriy Bashkalin
Dec 30, 2021, 1:53:32 AM12/30/21
to grpc.io
Hello! Thx for reply!
Now I'm sure that there is no problem with http/2 support on macOS so something wrong with my code. I believe it's something with dependencies.
Yep, the first thing I checked was certificate itself. I define root certificate with 'StaticDataCertificateProvider' initialised with string from cert data (also checked with 'FileWatcherCertificateProvider' with cert path). Also I checked if string with cert data is correct.
Insecure connection works just fine (mean server example).
How I can get error logs or smith? From client code I didn't see any error - mean the connection cannot established due to problems with ssl handshake so it tried for timeout.
But (possible offtopic) when I was looking for possible solution I tried to turn off server verification (GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION) and my client thrown an exception 'grpc_channel_check_connectivity_state called on something that is not a client channel, but 'lame-client'' is it correct? In debug 'host' and 'port' in channel was empty - it's possible reason for "lame client" but don't know why - cause I define server info.
While, I write this, found recommendation to remove grpc_unsecure & grpc++_unsecure from deps and code starts to work properly. Also rebuild all dependencies and it also worked but even without removing those two libs. Now I'm a little bit confused. Previously build was the same - with cmake, two independent builds for x86_64 and arm64 (m1) and combine into multi architecture static lib with 'lipo -create'.
So I think for now problem is resolved. I don't know how and where was original problem (possibly error in build deps).
четверг, 30 декабря 2021 г. в 02:56:11 UTC+3, Zhen Lian:
Zhen Lian
Jan 4, 2022, 1:42:20 PM1/4/22
to grpc.io
Cool, glad to hear that the problem is solved. Feel free to get back if anything else comes up.
Reply all
Reply to author
Forward
0 new messages