Have you seen: https://github.com/grpc/grpc/issues/9538? Make sure you're using a secure channel on the client. If you believe you are, perhaps double check that the CA data you're giving setTLSPEMroots is PEM-formatted DER-encoded pkcs12. If openssl does not understand the data perhaps the channel is acting like an insecure one?
David On Tue, Apr 23, 2019 at 2:01 PM Rob Cecil <[email protected]> wrote: > On the server I am using Grpc 1.19. Not sure that could cause the > handshake issue. > > On Tuesday, April 23, 2019 at 4:58:31 PM UTC-4, Rob Cecil wrote: >> >> Using on iOS: gRPC version 1.18.0, ProtoCompiler 3.6.0, BoringSSL-GRPC >> 0.0.2 >> >> On Tuesday, April 23, 2019 at 4:49:32 PM UTC-4, Rob Cecil wrote: >>> >>> Thanks David, >>> >>> I am switched my iOS code to calling setTLSPEMRootCerts( certStringData, >>> forHost: myHostName). From what I can see everything is set up correctly. >>> >>> But I get: >>> >>> E0423 16:45:55.527496000 123145544478720 ssl_transport_security.cc:1233] >>> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >>> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >>> >>> E0423 16:46:00.529906000 123145543942144 ssl_transport_security.cc:1233] >>> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >>> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >>> >>> E0423 16:46:05.530279000 123145544478720 ssl_transport_security.cc:1233] >>> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >>> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >>> >>> E0423 16:46:10.533879000 123145543942144 ssl_transport_security.cc:1233] >>> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >>> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >>> >>> E0423 16:46:15.537614000 123145543942144 ssl_transport_security.cc:1233] >>> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >>> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >>> >>> E0423 16:46:25.543934000 123145543942144 ssl_transport_security.cc:1233] >>> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >>> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >>> >>> E0423 16:46:40.549839000 123145544478720 ssl_transport_security.cc:1233] >>> Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL >>> routines:OPENSSL_internal:WRONG_VERSION_NUMBER. >>> >>> On Monday, April 22, 2019 at 5:04:04 PM UTC-4, David Cowden wrote: >>>> >>>> grpc bundles openssl (boringssl) and ships with its own roots.pem. It >>>> does not use the system store on iOS. You can either manually add your CA >>>> certificate to that file at `pod install`/`pod update` time or, preferably, >>>> configure grpc to use your in-house CA when you create the GRPCCall via >>>> https://github.com/grpc/grpc/blob/36b47ce0de60754cf14258e15d25dd2d1bb5abe0/src/objective-c/GRPCClient/GRPCCall%2BChannelCredentials.h#L24 >>>> >>>> GRPC_TRACE=all will surface some errors that you can use. They show up >>>> in the log in Xcode if you have All Output selected. >>>> >>>> David >>>> >>>> >>>> >>>> On Mon, Apr 22, 2019 at 1:36 PM Rob Cecil <[email protected]> wrote: >>>> >>>>> I have an existing implementation of a c#-based Grpc server (running >>>>> on Windows 10 Server), and iOS/Objc-based grpc client and I can >>>>> successfully connect, login, make calls, etc. My issue is switching from >>>>> nonsecure to SSL, using the same network Name & port, etc. >>>>> >>>>> I'm using self-signed server certificates, and I distribute the CA >>>>> Cert that I created for my org to the test iOS device (via email) and >>>>> install the Profile and make sure it is valid and activated in iOS >>>>> Settings. >>>>> >>>>> When I enable SSL in the client and server, I cannot connect. There is >>>>> no discernable error on either side. The connect aborts right away. >>>>> >>>>> I am following roughly the same steps here to initialize and start the >>>>> C# Server: >>>>> >>>>> >>>>> https://stackoverflow.com/questions/37714558/how-to-enable-server-side-ssl-for-grpc >>>>> >>>>> Here's my relevant code snippet: >>>>> >>>>> ServerCredentials credentials = ServerCredentials.Insecure; >>>>> if (cfg.UseSSL) >>>>> { >>>>> var cacert = File.ReadAllText(cfg.CACertLocation); >>>>> var servercert = >>>>> File.ReadAllText(cfg.ServerCertLocation); >>>>> var serverkey = >>>>> File.ReadAllText(cfg.ServerKeyLocation); >>>>> var keypair = new KeyCertificatePair(servercert, >>>>> serverkey); >>>>> credentials = new SslServerCredentials(new >>>>> List<KeyCertificatePair> { keypair }, cacert, false); >>>>> } >>>>> >>>>> var server = new Server >>>>> { >>>>> Services = >>>>> { >>>>> >>>>> BackendService.BindService(wanderBackendServiceImpl), >>>>> ManagementService.BindService(management) >>>>> }, >>>>> Ports = { { hostAddress, port, credentials } } >>>>> }; >>>>> >>>>> server.Start(); >>>>> >>>>> On the iOS side, it simply a matter of not turning on Insecure mode on >>>>> the relevant Grpc class (i.e. by default SSL is enabled). >>>>> >>>>> I am not using Mutual SSL/TLS - the client should just attempt to >>>>> validate the server certificate using CA cert it has been signed with >>>>> (both >>>>> server & CA are created internally at my org). >>>>> >>>>> How do I diagnose my problem? I've been looking at: >>>>> >>>>> https://github.com/grpc/grpc/blob/master/TROUBLESHOOTING.md >>>>> >>>>> But I am not sure where such log information would be by default >>>>> generated. Event Log? >>>>> >>>>> Thanks! >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "grpc.io" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To post to this group, send email to [email protected]. >>>>> Visit this group at https://groups.google.com/group/grpc-io. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/grpc-io/1b700a9b-edba-4212-95da-03c0c35c634d%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/grpc-io/1b700a9b-edba-4212-95da-03c0c35c634d%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/grpc-io. > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/b40f894a-7383-453a-a939-e117e61f8dfe%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/b40f894a-7383-453a-a939-e117e61f8dfe%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CACN7iOCs9JmbT-77hZUpkip6c41EtJXYTurrgxiGj%2BdHk6cqdw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
