I am linking in Eric (ej...@google.com)

Looks like #3992 <https://github.com/grpc/grpc-java/pull/3992> added the
example of generating credentials. Any input on why that won't work for a
C++ TLS greeter service (copying the github creds will work)

On Wed, Apr 4, 2018 at 2:02 PM David Audrain <david.audr...@gmail.com>
wrote:

> I've implemented a tls version of helloworld/greeter_client
> <https://github.com/daudrain/grpc/blob/cpp_greeter_tls_example/examples/cpp/helloworld/greeter_tls_client.cc>
> and server
> <https://github.com/daudrain/grpc/blob/cpp_greeter_tls_example/examples/cpp/helloworld/greeter_tls_server.cc>
> .
>
> First test case (failing one)
>
> Then I followed theses steps
> <https://github.com/grpc/grpc-java/blob/master/examples/README.md#generating-self-signed-certificates-for-use-with-grpc>
> to create certificate, keys, etc...
>
> greeter_tls_server is run
> ~/sources/github.com/grpc/grpc/examples/cpp/helloworld$ ./greeter_tls_server
> localhost 50051 ca.crt server.crt server.key
>
> greeter_tls_client is run
> ~/sources/github.com/grpc/grpc/examples/cpp/helloworld$ ./greeter_tls_client
> localhost 50051 localhost ca.crt
>
> greeter_tls_client fails
> SSL target name override : SET TO [localhost]
> E0404 16:43:27.918287000 140735524692800 ssl_transport_security.cc:1063]
> Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL
> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
> E0404 16:43:27.933634000 140735524692800 ssl_transport_security.cc:1063]
> Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL
> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
> 14: Connect Failed
> Greeter TLS received: RPC failed
>
> Java HelloWorldTlsClient from grpc-java succeeds:
> ~/sources/github.com/grpc/grpc-java/examples$ ./build/install/examples/bin
> /hello-world-tls-client localhost 50051 ca.crt
> Apr 04, 2018 4:40:52 PM io.grpc.examples.helloworldtls.HelloWorldClientTls
> greet
> INFO: Will try to greet localhost ...
> Apr 04, 2018 4:40:52 PM io.grpc.examples.helloworldtls.HelloWorldClientTls
> greet
> INFO: Greeting: TLS Hello localhost
>
> Second test case (success)
>
> The grpc repository contains certificate and keys generated in
> src/core/tsi/test_creds
> <https://github.com/grpc/grpc/tree/master/src/core/tsi/test_creds>. (BTW
> I've not been able to regenerate theses files myself following the provided
> README
> <https://github.com/grpc/grpc/blob/master/src/core/tsi/test_creds/README>)
>
> This second test case uses the credentials of grpc repository.
>
> greeter_tls_server:
> ~/sources/github.com/grpc/grpc/examples/cpp/helloworld$ ./greeter_tls_server
> localhost 50051 ../../../src/core/tsi/test_creds/ca.pem ../../../src/core/
> tsi/test_creds/server0.pem ../../../src/core/tsi/test_creds/server0.key
>
> greeter_tls_client succeeds:
> ~/sources/github.com/grpc/grpc/examples/cpp/helloworld$ ./greeter_tls_client
> localhost 50051 foo.test.google.com.au ../../../src/core/tsi/test_creds/ca
> .pem
> SSL target name override : SET TO [foo.test.google.com.au]
>
> Greeter TLS received: TLS Hello world
>
>
> Java HelloWorldTlsClient fails (I guess the domain *.test.google.com.au
> should be specified somewhere)
> Apr 04, 2018 4:54:10 PM io.grpc.examples.helloworldtls.HelloWorldClientTls
> greet
> INFO: Will try to greet localhost ...
> Apr 04, 2018 4:54:10 PM io.grpc.examples.helloworldtls.HelloWorldClientTls
> greet
> WARNING: RPC failed: Status{code=UNAVAILABLE, description=io exception,
> cause=javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
>  at io.netty.handler.ssl.
> ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(
> ReferenceCountedOpenSslContext.java:634)
> ....
> Caused by: java.security.cert.CertificateException: No name matching
> localhost found
>  at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221)
>
>
>
> Conclusion : Using the credentials from the grpc repository,
> greeter_tls_client works ok against greeter_tls_server.
>
> Questions : What is wrong with the credentials generation provided on the 
> grpc-java
> example README
> <https://github.com/grpc/grpc-java/blob/master/examples/README.md#generating-self-signed-certificates-for-use-with-grpc>
> ?
>
>
> On Wednesday, April 4, 2018 at 1:33:03 PM UTC-4, ncte...@google.com wrote:
>
>> That seems like the right way to go about it.
>>
>> Are you running into trouble? what are the errors?
>>
>> On Thursday, March 29, 2018 at 3:36:59 PM UTC-7, David Audrain wrote:
>>>
>>> Hi,
>>>
>>> My C++ Client tries to connect my dev server using TLS but connection
>>> keeps failing while checking the dev server certificate.
>>>
>>> The go version uses the following workaround to skip the verification:
>>>
>>>     grpcOpts := []grpc.DialOption{}
>>>     creds := credentials.NewTLS(&tls.Config{InsecureSkipVerify: *
>>> insecureSkipVerify})
>>>     grpcOpts = append(grpcOpts, grpc.WithTransportCredentials(creds))
>>>
>>> What is the equivalent with C++ GRPC library?
>>>
>>> Should I use *ChannelArguments::SetSslTargetNameOverride* ?
>>>
>>> Thank you,
>>> David
>>>
>> --
> You received this message because you are subscribed to the Google Groups "
> grpc.io" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to grpc-io+unsubscr...@googlegroups.com.
> To post to this group, send email to grpc-io@googlegroups.com.
> Visit this group at https://groups.google.com/group/grpc-io.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/grpc-io/a0abe609-d93e-40a9-9aeb-45149e60551b%40googlegroups.com
> <https://groups.google.com/d/msgid/grpc-io/a0abe609-d93e-40a9-9aeb-45149e60551b%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/CAPYwnkiBq8wk5qB-cCgRYFgKyRKLAxtb57k2gszULLxMTfJWyQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to