On the server I am using Grpc 1.19. Not sure that could cause the handshake issue.
On Tuesday, April 23, 2019 at 4:58:31 PM UTC-4, Rob Cecil wrote: > > Using on iOS: gRPC version 1.18.0, ProtoCompiler 3.6.0, BoringSSL-GRPC > 0.0.2 > > On Tuesday, April 23, 2019 at 4:49:32 PM UTC-4, Rob Cecil wrote: >> >> Thanks David, >> >> I am switched my iOS code to calling setTLSPEMRootCerts( certStringData, >> forHost: myHostName). From what I can see everything is set up correctly. >> >> But I get: >> >> E0423 16:45:55.527496000 123145544478720 ssl_transport_security.cc:1233] >> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >> >> E0423 16:46:00.529906000 123145543942144 ssl_transport_security.cc:1233] >> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >> >> E0423 16:46:05.530279000 123145544478720 ssl_transport_security.cc:1233] >> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >> >> E0423 16:46:10.533879000 123145543942144 ssl_transport_security.cc:1233] >> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >> >> E0423 16:46:15.537614000 123145543942144 ssl_transport_security.cc:1233] >> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >> >> E0423 16:46:25.543934000 123145543942144 ssl_transport_security.cc:1233] >> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >> >> E0423 16:46:40.549839000 123145544478720 ssl_transport_security.cc:1233] >> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >> >> On Monday, April 22, 2019 at 5:04:04 PM UTC-4, David Cowden wrote: >>> >>> grpc bundles openssl (boringssl) and ships with its own roots.pem. It >>> does not use the system store on iOS. You can either manually add your CA >>> certificate to that file at `pod install`/`pod update` time or, preferably, >>> configure grpc to use your in-house CA when you create the GRPCCall via >>> https://github.com/grpc/grpc/blob/36b47ce0de60754cf14258e15d25dd2d1bb5abe0/src/objective-c/GRPCClient/GRPCCall%2BChannelCredentials.h#L24 >>> >>> GRPC_TRACE=all will surface some errors that you can use. They show up >>> in the log in Xcode if you have All Output selected. >>> >>> David >>> >>> >>> >>> On Mon, Apr 22, 2019 at 1:36 PM Rob Cecil <[email protected]> wrote: >>> >>>> I have an existing implementation of a c#-based Grpc server (running on >>>> Windows 10 Server), and iOS/Objc-based grpc client and I can successfully >>>> connect, login, make calls, etc. My issue is switching from nonsecure to >>>> SSL, using the same network Name & port, etc. >>>> >>>> I'm using self-signed server certificates, and I distribute the CA Cert >>>> that I created for my org to the test iOS device (via email) and install >>>> the Profile and make sure it is valid and activated in iOS Settings. >>>> >>>> When I enable SSL in the client and server, I cannot connect. There is >>>> no discernable error on either side. The connect aborts right away. >>>> >>>> I am following roughly the same steps here to initialize and start the >>>> C# Server: >>>> >>>> >>>> https://stackoverflow.com/questions/37714558/how-to-enable-server-side-ssl-for-grpc >>>> >>>> Here's my relevant code snippet: >>>> >>>> ServerCredentials credentials = ServerCredentials.Insecure; >>>> if (cfg.UseSSL) >>>> { >>>> var cacert = File.ReadAllText(cfg.CACertLocation); >>>> var servercert = >>>> File.ReadAllText(cfg.ServerCertLocation); >>>> var serverkey = File.ReadAllText(cfg.ServerKeyLocation); >>>> var keypair = new KeyCertificatePair(servercert, >>>> serverkey); >>>> credentials = new SslServerCredentials(new >>>> List<KeyCertificatePair> { keypair }, cacert, false); >>>> } >>>> >>>> var server = new Server >>>> { >>>> Services = >>>> { >>>> >>>> BackendService.BindService(wanderBackendServiceImpl), >>>> ManagementService.BindService(management) >>>> }, >>>> Ports = { { hostAddress, port, credentials } } >>>> }; >>>> >>>> server.Start(); >>>> >>>> On the iOS side, it simply a matter of not turning on Insecure mode on >>>> the relevant Grpc class (i.e. by default SSL is enabled). >>>> >>>> I am not using Mutual SSL/TLS - the client should just attempt to >>>> validate the server certificate using CA cert it has been signed with >>>> (both >>>> server & CA are created internally at my org). >>>> >>>> How do I diagnose my problem? I've been looking at: >>>> >>>> https://github.com/grpc/grpc/blob/master/TROUBLESHOOTING.md >>>> >>>> But I am not sure where such log information would be by default >>>> generated. Event Log? >>>> >>>> Thanks! >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "grpc.io" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> Visit this group at https://groups.google.com/group/grpc-io. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/grpc-io/1b700a9b-edba-4212-95da-03c0c35c634d%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/grpc-io/1b700a9b-edba-4212-95da-03c0c35c634d%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/b40f894a-7383-453a-a939-e117e61f8dfe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
