ssl connection via proxy

33 views
Skip to first unread message

Yuriy Hashev

unread,
Feb 25, 2021, 11:04:26 AMFeb 25
to grpc.io
I wrote a simple client to work with some server. Everything works fine with direct access.
But, if I declare the variable, I get the error "Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED."

This is my code for making connection

    string root = read_keycert("../roots.crt");
    grpc::SslCredentialsOptions ssl_opts;
    ssl_opts.pem_root_certs = root;
    ssl_opts.pem_private_key = "";
    ssl_opts.pem_cert_chain = "";

    channel_creds = grpc::SslCredentials(ssl_opts);
    channel = grpc::CreateChannel(URL, channel_creds);
    stub = vox::tts::TTS::NewStub(channel);

I guess i need to make a connection with a parameter GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION.  But I don't understand how.

I need a small example. Thanks.

Mark D. Roth

unread,
Feb 26, 2021, 2:20:35 PMFeb 26
to Yuriy Hashev, grpc.io, Zhen Lian
Are you connecting via an HTTP CONNECT proxy?  If so, you should be able to do this simply by setting the $grpc_proxy environment variable to point at your proxy.

Zhen (CC'ed) can check your SSL creds code to make sure it looks right.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/85f4aee1-c21f-4b53-a6d9-d052323804d8n%40googlegroups.com.


--
Mark D. Roth <ro...@google.com>
Software Engineer
Google, Inc.

Zhen Lian

unread,
Feb 26, 2021, 5:44:36 PMFeb 26
to grpc.io
Hi,
From the error message, most likely the certificate verification failed because the certificate sent from the server is not trusted by your client. You might want to use OpenSSL to check if the cert chain sent from server are trusted by root cert located at "../roots.crt". This is important for establishing a TLS connection.
GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION is dangerous, since itself doesn't provide any mechanism for verification. In most cases that should be combined with some customized checks, and I highly discourage its usages in any of the production code, without any additional checks.




Yuriy Hashev

unread,
Feb 27, 2021, 6:31:13 AMFeb 27
to grpc.io

Yes, the proxy supports this method.  Without a proxy, connection and messaging works well. 

But if I use the http_proxy or grpc_proxy variable I get an error.  If you turn on the debug mode, then you see this error:

I0227 11:28:02.546379100     536 socket_utils_common_posix.cc:428] Disabling AF_INET6 sockets because ::1 is not available.
I0227 11:28:02.642127500     536 http_connect_handshaker.cc:329] Connecting to server tts.3i-vox.xyz:443 via HTTP proxy ipv4:10.34.199.42:3131
E0227 11:28:02.889812400     536 ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
D0227 11:28:02.889915100     536 security_handshaker.cc:182] Security handshake failed: {"created":"@1614425282.889896700","description":"Handshake failed","file":"/tmp/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":305,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
I0227 11:28:02.890231900     536 subchannel.cc:1060]         Connect failed: {"created":"@1614425282.889896700","description":"Handshake failed","file":"/tmp/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":305,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
I0227 11:28:02.909442500     536 http_connect_handshaker.cc:329] Connecting to server tts.3i-vox.xyz:443 via HTTP proxy ipv4:10.34.199.43:3131
E0227 11:28:02.998743200     536 ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
D0227 11:28:02.998861300     536 security_handshaker.cc:182] Security handshake failed: {"created":"@1614425282.998834700","description":"Handshake failed","file":"/tmp/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":305,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
I0227 11:28:02.999375500     536 subchannel.cc:1060]         Connect failed: {"created":"@1614425282.998834700","description":"Handshake failed","file":"/tmp/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":305,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
I0227 11:28:03.018482300     536 http_connect_handshaker.cc:329] Connecting to server tts.3i-vox.xyz:443 via HTTP proxy ipv4:10.34.199.44:3131
E0227 11:28:03.150566400     536 ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
D0227 11:28:03.150632400     536 security_handshaker.cc:182] Security handshake failed: {"created":"@1614425283.150614800","description":"Handshake failed","file":"/tmp/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":305,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
I0227 11:28:03.150838900     536 subchannel.cc:1060]         Connect failed: {"created":"@1614425283.150614800","description":"Handshake failed","file":"/tmp/grpc/src/core/lib/security/transport/security_handshaker.cc","file_line":305,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
I0227 11:28:03.151011500     536 subchannel.cc:999]          Subchannel 0x55ad9c5eb750: Retry in 418 milliseconds

Help me.
пятница, 26 февраля 2021 г. в 22:20:35 UTC+3, Mark D. Roth:

Yuriy Hashev

unread,
Feb 28, 2021, 3:55:40 PMFeb 28
to grpc.io
I spoke to our security team. I was advised to use corporate root.crt. I changed it in the project, but a new error appeared:

I0228 20:50:39.519296300   14294 http_connect_handshaker.cc:329] Connecting to server tts.3i-vox.xyz:443 via HTTP proxy ipv4:10.34.199.43:3131
D0228 20:50:39.619062800   14294 security_handshaker.cc:182] Security handshake failed: {"created":"@1614545439.619025100","description":"Cannot check peer: missing selected ALPN property.","file":"/tmp/grpc/src/core/lib/security/security_connector/ssl_utils.cc","file_line":160}
I0228 20:50:39.619545800   14294 subchannel.cc:1060]         Connect failed: {"created":"@1614545439.619025100","description":"Cannot check peer: missing selected ALPN property.","file":"/tmp/grpc/src/core/lib/security/security_connector/ssl_utils.cc","file_line":160}

I tried changing the environment variable
TSI_OPENSSL_ALPN_SUPPORT=0

But the error repeats itself :-(

суббота, 27 февраля 2021 г. в 01:44:36 UTC+3, Zhen Lian:
Reply all
Reply to author
Forward
0 new messages