I think sslOps.pem_root_certs is only required if your client is using
client cert auth.
>>so unfortunately I don't know exactly what it does. But I did have to
copy my root cert over to the client device
Without knowing much about what your client does or if it actually loads
the right root cert, it'd be difficult to diagnose the issue. May be some
grpc SSL/network expert can chime in here and provide some way of obtaining
more info on the server.
On Wednesday, April 25, 2018 at 2:22:40 PM UTC-7, Todd Defilippi wrote:
>
> The client is a Cisco device, so unfortunately I don't know exactly what
> it does. But I did have to copy my root cert over to the client device, so
> I'm assuming it does largely what your example does.
>
> Should I have anything set for sslOps.pem_root_certs? Some of the
> examples appear to have something, but then others don't. Or is that field
> only used when I am setting the SSL options for a client?
>
> Thanks,
> Todd
>
> On Tuesday, April 24, 2018 at 12:29:10 PM UTC-7, Arpit Baldeva wrote:
>>
>> The code you have on server side looks correct to me(I have pretty much
>> the same code).
>>
>> Have you loaded the root cert for the server on the client (the CA that
>> issued the cert to the server)? On client side, code could look like:
>>
>> std::string rootCerts;
>> readSSLFile("cacert.pem", rootCerts);
>>
>> grpc::SslCredentialsOptions sslOps;
>> sslOps.pem_root_certs = rootCerts;
>>
>> GrpcClient
>> grpceClient(grpc::CreateChannel(ENDPOINT_1_EXTERNAL_SECURE,
>> grpc::SslCredentials(sslOps)));
>>
>> There are some details at https://github.com/grpc/grpc/issues/9593
>>
>> HTH.
>>
>>
>>
>> On Sunday, April 22, 2018 at 8:43:48 AM UTC-7, Todd Defilippi wrote:
>>>
>>> I am trying to get TLS authentication working for a C++ server
>>> implementation I am working on.
>>>
>>> The relevant code is:
>>>
>>> grpc::SslServerCredentialsOptions::PemKeyCertPair keyCert
>>> = { tlsKeyContents_, tlsCertContents_ };
>>> grpc::SslServerCredentialsOptions sslOps;
>>> sslOps.pem_root_certs = "";
>>> sslOps.pem_key_cert_pairs.push_back(keyCert);
>>> builder_->AddListeningPort(addr,
>>> grpc::SslServerCredentials(sslOps));
>>>
>>> where tlsKeyContents_ and tlsCertContents_ are the server key and
>>> certifiticate, respectively.
>>>
>>> I seem to be unable to get the TLS handshake to work. When I enable
>>> gRPC logging, I see:
>>>
>>> D0421 17:22:09.629340909 24866 tcp_posix.c:531] write:
>>> {"created":"@1524356529.629325854","description":"OS
>>> Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken
>>>
>>> pipe","syscall":"sendmsg"}
>>> D0421 17:22:09.629435059 24866 security_handshaker.c:126] Security
>>> handshake failed:
>>> {"created":"@1524356529.629415453","description":"Handshake write
>>> failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS
>>>
>>> Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken
>>>
>>> pipe","syscall":"sendmsg"}]}
>>> D0421 17:22:09.629455934 24866 lockfree_event.c:167]
>>> lfev_set_shutdown: 0x7fa0911b1648 curr=(nil)
>>> err={"created":"@1524356529.629415453","description":"Handshake write
>>> failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS
>>>
>>> Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken
>>>
>>> pipe","syscall":"sendmsg"}]}
>>> D0421 17:22:09.629474573 24866 lockfree_event.c:167]
>>> lfev_set_shutdown: 0x7fa0911b1650 curr=0x2
>>> err={"created":"@1524356529.629415453","description":"Handshake write
>>> failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS
>>>
>>> Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken
>>>
>>> pipe","syscall":"sendmsg"}]}
>>> D0421 17:22:09.629490837 24866 combiner.c:218]
>>> C:0x7fa09105ec60 grpc_combiner_execute c=0x7fa091231c90 cov=0 last=1
>>> D0421 17:22:09.629500108 24866 timer_generic.c:322] TIMER
>>> 0x7fa091054980: CANCEL pending=true
>>> D0421 17:22:09.629506399 24866 chttp2_server.c:83] Handshaking
>>> failed: {"created":"@1524356529.629415453","description":"Handshake write
>>> failed","file":"src/core/lib/security/transport/security_handshaker.c","file_line":346,"referenced_errors":[{"created":"@1524356529.629325854","description":"OS
>>>
>>> Error","errno":32,"file":"src/core/lib/iomgr/tcp_posix.c","file_line":424,"grpc_status":14,"os_error":"Broken
>>>
>>> pipe","syscall":"sendmsg"}]}
>>>
>>> Is there something I am missing? (Please let me know if any other
>>> relevant logging/output I should include.)
>>>
>>> Thanks,
>>> Todd
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/d59652d6-a802-445b-bda2-c8c202a1c154%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
