TLS/SSL handshake fails due to peer_name not peer certificate
1,959 views
Skip to first unread message
grpc_client
Jul 20, 2018, 5:57:15 PM7/20/18
to grpc.io
Hi,
I'm trying to establish a secure gRPC channel in a C++ based client. The connection gets rejected with the following error message:
"Peer name A.B.C.D is not in peer certificate"
As far as I understand the expected peer_name is the ip of the server to which the connection is being established. I have added the IP address to the certificate as a Subject Alternate Name:
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:A.B.C.D
X509v3 Subject Alternative Name:
IP Address:A.B.C.D
I've added several logs to gRPC and it seems the certificate never gets parsed and properties not getting extracting. Any clue to why this isn't working will be greatly appreciated. The capture shows the certificate as part of the server ssl hello.
gRPC version: 1.2.5
client language: C++
Thanks!
dc...@eero.com
Jul 26, 2018, 6:15:59 PM7/26/18
to grpc.io
Do the bytes match exactly?
jian...@google.com
Jul 30, 2018, 4:37:12 PM7/30/18
to grpc.io
peer_name can be IP of the server or name of the server.
Is server also c++ server? Could you print in ssl_transport_security.cc whether TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY has been added to tsi_peer on the server side.
On Friday, July 20, 2018 at 2:57:15 PM UTC-7, grpc_client wrote:
grpc_client
Jul 30, 2018, 5:33:34 PM7/30/18
to grpc.io
Thanks for the replies!
I have found the issue(s) and was able to have a successful SSL handshake.
* There was a problem with SSL_is_init_finished. For some reason it would return TRUE while still in the middle of a handshake. As a result, the gRPC library will try to verify the peer after sending "SSL Client Hello" prior to receiving the "SSL Server Hello", which obviously would fail since there was no server information at that point to verify.
* The second problem I ran into after solving the one above was that the gRPC library sometimes attempts to send 0 bytes (BIO_write). So by adding a check for the length to be larger than 0 I was finally able to get the whole handshake to work.
Thanks again for the replies!
I have found the issue(s) and was able to have a successful SSL handshake.
* There was a problem with SSL_is_init_finished. For some reason it would return TRUE while still in the middle of a handshake. As a result, the gRPC library will try to verify the peer after sending "SSL Client Hello" prior to receiving the "SSL Server Hello", which obviously would fail since there was no server information at that point to verify.
* The second problem I ran into after solving the one above was that the gRPC library sometimes attempts to send 0 bytes (BIO_write). So by adding a check for the length to be larger than 0 I was finally able to get the whole handshake to work.
Thanks again for the replies!
David Cowden
Jul 30, 2018, 5:40:26 PM7/30/18
to hshp...@gmail.com, grp...@googlegroups.com
Are you able to reproduce using a newer gRPC?
--
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/JM03ozdbwXs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/43135c0e-20ae-4f58-9cd6-ad3c0d6b9679%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
grpc_client
Jul 30, 2018, 5:43:45 PM7/30/18
to grpc.io
Not yet. We are porting to a newer version so will update once I have that....
jian...@google.com
Jul 30, 2018, 10:21:31 PM7/30/18
to grpc.io
If the problem exists on latest grpc, could you please file an issue so that we can fix?
Reply all
Reply to author
Forward
0 new messages