I spoke to our security team. I was advised to use corporate root.crt. I
changed it in the project, but a new error appeared:
I0228 20:50:39.519296300 14294 http_connect_handshaker.cc:329] Connecting
to server tts.3i-vox.xyz:443 via HTTP proxy ipv4:10.34.199.43:3131
D0228 20:50:39.619062800 14294 security_handshaker.cc:182] Security
handshake failed: {"created":"@1614545439.619025100","description":"Cannot
check peer: missing selected ALPN
property.","file":"/tmp/grpc/src/core/lib/security/security_connector/ssl_utils.cc","file_line":160}
I0228 20:50:39.619545800 14294 subchannel.cc:1060] Connect
failed: {"created":"@1614545439.619025100","description":"Cannot check
peer: missing selected ALPN
property.","file":"/tmp/grpc/src/core/lib/security/security_connector/ssl_utils.cc","file_line":160}
I tried changing the environment variable
TSI_OPENSSL_ALPN_SUPPORT=0
But the error repeats itself :-(
суббота, 27 февраля 2021 г. в 01:44:36 UTC+3, Zhen Lian:
> Hi,
> From the error message, most likely the certificate verification failed
> because the certificate sent from the server is not trusted by your client.
> You might want to use OpenSSL to check if the cert chain sent from server
> are trusted by root cert located at "../roots.crt". This is important for
> establishing a TLS connection.
> GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION is dangerous, since itself doesn't
> provide any mechanism for verification. In most cases that should be
> combined with some customized checks, and I highly discourage its usages in
> any of the production code, without any additional checks.
>
>
>
>
> On Friday, February 26, 2021 at 11:20:35 AM UTC-8 Mark D. Roth wrote:
>
>> Are you connecting via an HTTP CONNECT proxy? If so, you should be able
>> to do this simply by setting the $grpc_proxy environment variable to point
>> at your proxy.
>>
>> Zhen (CC'ed) can check your SSL creds code to make sure it looks right.
>>
>> On Thu, Feb 25, 2021 at 8:04 AM Yuriy Hashev <yuriy....@gmail.com> wrote:
>>
>>> I wrote a simple client to work with some server. Everything works fine
>>> with direct access.
>>> But, if I declare the variable, I get the error "Handshake failed with
>>> fatal error SSL_ERROR_SSL: error:1000007d:SSL
>>> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED."
>>>
>>> This is my code for making connection
>>>
>>> string root = read_keycert("../roots.crt");
>>> grpc::SslCredentialsOptions ssl_opts;
>>> ssl_opts.pem_root_certs = root;
>>> ssl_opts.pem_private_key = "";
>>> ssl_opts.pem_cert_chain = "";
>>>
>>> channel_creds = grpc::SslCredentials(ssl_opts);
>>> channel = grpc::CreateChannel(URL, channel_creds);
>>> stub = vox::tts::TTS::NewStub(channel);
>>>
>>> I guess i need to make a connection with a parameter
>>> GRPC_TLS_SKIP_ALL_SERVER_VERIFICATION. But I don't understand how.
>>>
>>> I need a small example. Thanks.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "grpc.io" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to grpc-io+u...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/grpc-io/85f4aee1-c21f-4b53-a6d9-d052323804d8n%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/grpc-io/85f4aee1-c21f-4b53-a6d9-d052323804d8n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>> Mark D. Roth <ro...@google.com>
>> Software Engineer
>> Google, Inc.
>>
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/30adf031-4a00-47c1-9382-00ed6364058dn%40googlegroups.com.
