Using on iOS: gRPC version 1.18.0, ProtoCompiler 3.6.0, BoringSSL-GRPC 0.0.2
On Tuesday, April 23, 2019 at 4:49:32 PM UTC-4, Rob Cecil wrote: > > Thanks David, > > I am switched my iOS code to calling setTLSPEMRootCerts( certStringData, > forHost: myHostName). From what I can see everything is set up correctly. > > But I get: > > E0423 16:45:55.527496000 123145544478720 ssl_transport_security.cc:1233] > Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL > routines:OPENSSL_internal:WRONG_VERSION_NUMBER. > > E0423 16:46:00.529906000 123145543942144 ssl_transport_security.cc:1233] > Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL > routines:OPENSSL_internal:WRONG_VERSION_NUMBER. > > E0423 16:46:05.530279000 123145544478720 ssl_transport_security.cc:1233] > Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL > routines:OPENSSL_internal:WRONG_VERSION_NUMBER. > > E0423 16:46:10.533879000 123145543942144 ssl_transport_security.cc:1233] > Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL > routines:OPENSSL_internal:WRONG_VERSION_NUMBER. > > E0423 16:46:15.537614000 123145543942144 ssl_transport_security.cc:1233] > Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL > routines:OPENSSL_internal:WRONG_VERSION_NUMBER. > > E0423 16:46:25.543934000 123145543942144 ssl_transport_security.cc:1233] > Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL > routines:OPENSSL_internal:WRONG_VERSION_NUMBER. > > E0423 16:46:40.549839000 123145544478720 ssl_transport_security.cc:1233] > Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL > routines:OPENSSL_internal:WRONG_VERSION_NUMBER. > > On Monday, April 22, 2019 at 5:04:04 PM UTC-4, David Cowden wrote: >> >> grpc bundles openssl (boringssl) and ships with its own roots.pem. It >> does not use the system store on iOS. You can either manually add your CA >> certificate to that file at `pod install`/`pod update` time or, preferably, >> configure grpc to use your in-house CA when you create the GRPCCall via >> https://github.com/grpc/grpc/blob/36b47ce0de60754cf14258e15d25dd2d1bb5abe0/src/objective-c/GRPCClient/GRPCCall%2BChannelCredentials.h#L24 >> >> GRPC_TRACE=all will surface some errors that you can use. They show up in >> the log in Xcode if you have All Output selected. >> >> David >> >> >> >> On Mon, Apr 22, 2019 at 1:36 PM Rob Cecil <[email protected]> wrote: >> >>> I have an existing implementation of a c#-based Grpc server (running on >>> Windows 10 Server), and iOS/Objc-based grpc client and I can successfully >>> connect, login, make calls, etc. My issue is switching from nonsecure to >>> SSL, using the same network Name & port, etc. >>> >>> I'm using self-signed server certificates, and I distribute the CA Cert >>> that I created for my org to the test iOS device (via email) and install >>> the Profile and make sure it is valid and activated in iOS Settings. >>> >>> When I enable SSL in the client and server, I cannot connect. There is >>> no discernable error on either side. The connect aborts right away. >>> >>> I am following roughly the same steps here to initialize and start the >>> C# Server: >>> >>> >>> https://stackoverflow.com/questions/37714558/how-to-enable-server-side-ssl-for-grpc >>> >>> Here's my relevant code snippet: >>> >>> ServerCredentials credentials = ServerCredentials.Insecure; >>> if (cfg.UseSSL) >>> { >>> var cacert = File.ReadAllText(cfg.CACertLocation); >>> var servercert = >>> File.ReadAllText(cfg.ServerCertLocation); >>> var serverkey = File.ReadAllText(cfg.ServerKeyLocation); >>> var keypair = new KeyCertificatePair(servercert, >>> serverkey); >>> credentials = new SslServerCredentials(new >>> List<KeyCertificatePair> { keypair }, cacert, false); >>> } >>> >>> var server = new Server >>> { >>> Services = >>> { >>> BackendService.BindService(wanderBackendServiceImpl), >>> ManagementService.BindService(management) >>> }, >>> Ports = { { hostAddress, port, credentials } } >>> }; >>> >>> server.Start(); >>> >>> On the iOS side, it simply a matter of not turning on Insecure mode on >>> the relevant Grpc class (i.e. by default SSL is enabled). >>> >>> I am not using Mutual SSL/TLS - the client should just attempt to >>> validate the server certificate using CA cert it has been signed with (both >>> server & CA are created internally at my org). >>> >>> How do I diagnose my problem? I've been looking at: >>> >>> https://github.com/grpc/grpc/blob/master/TROUBLESHOOTING.md >>> >>> But I am not sure where such log information would be by default >>> generated. Event Log? >>> >>> Thanks! >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "grpc.io" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/grpc-io. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/grpc-io/1b700a9b-edba-4212-95da-03c0c35c634d%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/grpc-io/1b700a9b-edba-4212-95da-03c0c35c634d%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/e41469d3-3b20-4ad1-9825-7e244561995e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
