[grpc-io] Re: Should gRPC use the trust-store for client-side SSL?

Mon, 29 Oct 2018 14:03:02 -0700 

Hi Lidi,

Yep, that works too - eg. for the Python client:

with open('ca.crt', 'rb') as f:
    creds = grpc.ssl_channel_credentials(f.read())
channel = secure_channel(host, creds)

Where ca.crt is the same certificate that I imported into the trust store. 

However, I don't want to distribute the client certificate with the 
application. In a corporate environment I'd expect a sysadmin to push the 
corporate CA root certificate to the trust store... right?

Cheers, Mark

On Monday, 29 October 2018 20:43:59 UTC+1, li...@google.com wrote:
>
> Hi Mark,
>
> Can you try to add the root certificates to the gRPC client, and see if 
> the warning go away?
> API for client-side credentials: 
> https://grpc.io/grpc/python/grpc.html#grpc.ssl_channel_credentials
>
> Lidi
>
> On Monday, October 29, 2018 at 12:25:28 PM UTC-7, Mark Nuttall-Smith wrote:
>>
>> Hi,
>>
>> I have a gRPC client (C# and Python) using client-side SSL which is 
>> terminated in an Istio ingress gateway (envoy) before reaching the service.
>>
>> When using a genuine certificate from LetsEncrypt everything works fine.
>>
>> However, when the ingress gateway is configured with a self signed SSL 
>> certificate, generated from a root CA which has been added to the trust 
>> store (keychain/cert-manager) on the client machine, the connection fails:
>>
>> E1029 17:01:45.274918000 123145515409408 ssl_transport_security.cc:1229] 
>>> Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL 
>>> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
>>
>>
>> Chrome/curl etc will connect to the http services behind the same ingress 
>> gateway without SSL warnings (given that the root CA certificate has been 
>> added to the trust store).
>>
>> My question is: should gRPC also be using the trust store for client-side 
>> SSL? If so, any ideas what I might be doing wrong. 
>>
>> Thanks,
>> Mark
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/401d3d63-d873-4ca4-ad31-c84239d8c224%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to