SSL/TLS handshake NPN vs ALPN

[grpc_client]

Hi, got a quick question which has bothered me for the past couple of days.

I have a C++ gRPC client (which uses the 1.2.5 gRPC library). The SSL/TLS handshake fails with the following error: "Cannot check peer: missing selected ALPN property"

Digging a little deeper I found that the client in fact sends an NPN (next_protocol_negotiation) ssl extension and receives the same NPN extension from the server - which I find to be the correct behavior as far as SSL is concerned. However it seems that the gRPC code expects an ALPN extension instead.

Am I doing something wrong? I have tested the server with the openssl tool, with both NPN and ALPN options and both handshakes were successful

Thanks!

[jian...@google.com]

Could you give us more details on 

- what is your client language, which version of ssl client uses.

- what is your server language, which version of ssl server uses.

It looks like that your ssl is before 1.0.2 and there is no ALPN.

[grpc_client]

Thanks for the reply!

The client is in C++ and the server is in Go. I am not sure about the SSL version for both. The handshake itself is successful though!

The client sends NPN, the server responds with NPN - no problems. However during the processing of the response in security_connector.cc the gRPC code complains about receiving NPN and not ALPN.

I believe this is a bug due to bad handling of the TSI_OPENSSL_ALPN_SUPPORT macro. Wondering if anyone else ran into it and if there is a fix to it.

Thanks!

[Jiangtao Li]

+ Nicolas

It looks like your libssl version is before 1.0.2 thus NPN is used. In gRPC, APLN (rather than NPN) will be used if it is available. If you try to uninstall system libssl using the following command, try again. 

$ sudo apt-get remove libssl-dev

Thanks,

Jiangtao

--
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/x25rc8lJK4k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/75d914ed-5050-45d6-92a5-e470502720ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[grpc_client]

Thanks, I will try to check the ssl library we have.

However, shouldn't the gRPC client work with an NPN response if it sends the NPN request by itself?

[jian...@google.com]

This PR would fix the the check peer error if both client and server use NPN rather than ALPN.

https://github.com/grpc/grpc/pull/16007

[grpc_client]

The fix worked! Thanks a lot!

Will it go into the next grpc release?

Thanks

[grpc_client]

Thanks again for the help with the NPN/ALPN mismatch. I am not sure if this is related but once past this hurdle I now hit this: https://groups.google.com/forum/#!topic/grpc-io/JM03ozdbwXs

It seems that the tsi_peer structure has no properties - I have no idea what this is happening...

Thanks!

[Gustavo Cayres]

Hi!

I'm also running into this problem while using a gRPC-Python client and a gRPC-Go server.

I'm not sure if this will sound dumb but, to make use of this fix, would I have to change the value of the macro and compile the gRPC-Python locally?

[Srini Polavarapu]

The fix is made in gRPC Core which gRPC-Python wraps. If you are building from src from an older version then yes, you will have to patch the file. If you are doing pip install, you could either wait for next release or try nightly builds from https://packages.grpc.io/