grpc SSL server start problem
4,659 views
Skip to first unread message
AK
Nov 15, 2016, 9:47:37 PM11/15/16
to grpc.io
I know nothing about SSL/TLS and am trying to use SSL/TLS channel in gRPC by following instructions found online.
Here is the server code:
std::string server_address("0.0.0.0:50051");
GreeterServiceImpl service;
grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp ={"a","b"};
grpc::SslServerCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs="";
ssl_opts.pem_key_cert_pairs.push_back(pkcp);
std::shared_ptr<grpc::ServerCredentials> creds;
creds = grpc::SslServerCredentials(ssl_opts);
ServerBuilder builder;
builder.AddListeningPort(server_address, creds);
builder.RegisterService(&service);
std::unique_ptr<Server> server(builder.BuildAndStart());
The server won't start and terminates with following error.
E1115 13:00:55.657846941 17129 ssl_transport_security.c:636] Invalid cert chain file.
E1115 13:00:55.657936436 17129 security_connector.c:830] Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1115 13:00:55.657954952 17129 server_secure_chttp2.c:344] {"created":"@1479243655.657946821","description":"Unable to create secure server with credentials of type Ssl.","file":"src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.c","file_line":242,"security_status":1}
Server listening on 0.0.0.0:50051
Segmentation fault (core dumped)
Any help would be appreciated.
Here is the server code:
std::string server_address("0.0.0.0:50051");
GreeterServiceImpl service;
grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp ={"a","b"};
grpc::SslServerCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs="";
ssl_opts.pem_key_cert_pairs.push_back(pkcp);
std::shared_ptr<grpc::ServerCredentials> creds;
creds = grpc::SslServerCredentials(ssl_opts);
ServerBuilder builder;
builder.AddListeningPort(server_address, creds);
builder.RegisterService(&service);
std::unique_ptr<Server> server(builder.BuildAndStart());
The server won't start and terminates with following error.
E1115 13:00:55.657846941 17129 ssl_transport_security.c:636] Invalid cert chain file.
E1115 13:00:55.657936436 17129 security_connector.c:830] Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1115 13:00:55.657954952 17129 server_secure_chttp2.c:344] {"created":"@1479243655.657946821","description":"Unable to create secure server with credentials of type Ssl.","file":"src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.c","file_line":242,"security_status":1}
Server listening on 0.0.0.0:50051
Segmentation fault (core dumped)
Any help would be appreciated.
Christian Svensson
Nov 16, 2016, 2:07:19 AM11/16/16
to AK, grpc. io
Did you pass a real certificate and private key to PemKeyCertPair? If you used "a", "b" that's your problem.
--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscribe@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/e8597c77-c857-4b00-ae7e-2cb207df857f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
AK
Nov 16, 2016, 12:30:33 PM11/16/16
to grpc.io, anand.s...@gmail.com
I added the certificate and key to server and it starts now. I generated some certificates and keys using a script mentioned in one of the posts in this group. Now after using server.crt and server.key generated by that script the server is running. However, what certificate and key should be added to the client to communicate with the server? Here is my client program. I am using client.crt and client.key generated by that script.
std::ifstream tfile("client.crt");
std::stringstream cli_cert;
cli_cert << tfile.rdbuf();
tfile.close();
tfile.open("client.key");
std::stringstream cli_key;
cli_key << tfile.rdbuf();
tfile.close();
grpc::SslCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs="";
ssl_opts.pem_private_key=cli_key.str();
ssl_opts.pem_cert_chain=cli_cert.str();
GreeterClient greeter(grpc::CreateChannel(
"localhost:50051", grpc::SslCredentials(ssl_opts)));
std::string user("world");
std::string reply = greeter.SayHello(user);
Here is the error that I get on client side when the client is executed.
E1116 09:26:59.622489462 17976 ssl_transport_security.c:199] ssl_info_callback: error occured.
E1116 09:26:59.622623322 17976 ssl_transport_security.c:945] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
E1116 09:26:59.622641277 17976 handshake.c:128] Security handshake failed: {"created":"@1479317219.622630904","description":"Handshake failed","file":"src/core/lib/security/transport/handshake.c","file_line":264,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
The error on server side is:
E1116 09:18:28.809683734 17911 server_secure_chttp2.c:123] Secure transport failed with error 1
E1116 09:26:59.606240723 17911 ssl_transport_security.c:1288] No match found for server name: 0.0.0.0.
E1116 09:26:59.622738415 17911 handshake.c:128] Security handshake failed: {"created":"@1479317219.622724267","description":"Handshake read failed","file":"src/core/lib/security/transport/handshake.c","file_line":237,"referenced_errors":[{"created":"@1479317219.622722928","description":"EOF","file":"src/core/lib/iomgr/tcp_posix.c","file_line":235}]}
E1116 09:26:59.622827154 17911 server_secure_chttp2.c:123] Secure transport failed with error 1
I am guessing something is wrong with the server name ?
std::ifstream tfile("client.crt");
std::stringstream cli_cert;
cli_cert << tfile.rdbuf();
tfile.close();
tfile.open("client.key");
std::stringstream cli_key;
cli_key << tfile.rdbuf();
tfile.close();
grpc::SslCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs="";
ssl_opts.pem_private_key=cli_key.str();
ssl_opts.pem_cert_chain=cli_cert.str();
GreeterClient greeter(grpc::CreateChannel(
"localhost:50051", grpc::SslCredentials(ssl_opts)));
std::string user("world");
std::string reply = greeter.SayHello(user);
Here is the error that I get on client side when the client is executed.
E1116 09:26:59.622489462 17976 ssl_transport_security.c:199] ssl_info_callback: error occured.
E1116 09:26:59.622623322 17976 ssl_transport_security.c:945] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
E1116 09:26:59.622641277 17976 handshake.c:128] Security handshake failed: {"created":"@1479317219.622630904","description":"Handshake failed","file":"src/core/lib/security/transport/handshake.c","file_line":264,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
The error on server side is:
E1116 09:18:28.809683734 17911 server_secure_chttp2.c:123] Secure transport failed with error 1
E1116 09:26:59.606240723 17911 ssl_transport_security.c:1288] No match found for server name: 0.0.0.0.
E1116 09:26:59.622738415 17911 handshake.c:128] Security handshake failed: {"created":"@1479317219.622724267","description":"Handshake read failed","file":"src/core/lib/security/transport/handshake.c","file_line":237,"referenced_errors":[{"created":"@1479317219.622722928","description":"EOF","file":"src/core/lib/iomgr/tcp_posix.c","file_line":235}]}
E1116 09:26:59.622827154 17911 server_secure_chttp2.c:123] Secure transport failed with error 1
I am guessing something is wrong with the server name ?
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
AK
Nov 16, 2016, 12:33:35 PM11/16/16
to grpc.io, anand.s...@gmail.com
The client code has server address as 0.0.0.0:50051 not as localhost:50051, as mentioned in my previous reply.
Christian Svensson
Nov 16, 2016, 1:00:32 PM11/16/16
to AK, grpc.io
On Wed, Nov 16, 2016 at 6:33 PM, AK <anand.s...@gmail.com> wrote:
The client code has server address as 0.0.0.0:50051 not as localhost:50051, as mentioned in my previous reply.
You need to mint the certificate for the same CN as you connect to.
1. Create a server private key. This is what the server needs to have, it's super-secret.
2. Create a server certificate with CN=localhost, self-signed. This is what the server and the client needs to have, it's public.
3. In the client, use the server certificate (*not* the key) as a "roots". This will tell your client to trust servers using that certificate - but only if the CN matches the address you connect to.
4.In the client, connect to localhost.
Done.
AK
Nov 16, 2016, 9:03:23 PM11/16/16
to grpc.io, anand.s...@gmail.com
Got it ! Thank you.
Kathe Srikanth
Jan 7, 2021, 12:56:46 AM1/7/21
to grpc.io
Thanks for the detailed steps. I guess this is for server side TLS (correct me if I am wrong), what needs to be done for mutual TLS?
Reply all
Reply to author
Forward
0 new messages