Menu
I am trying to establish encrypted connection with TLS certificates using gRPC. With insecure connection everything works fine, also I tried to use client written on Go, it works too. But with Python I am getting following error:
grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "failed to connect to all addresses"
debug_error_string = "{"created":"@1565190346.229323178","description":"Failed to pick subchannel","file":"src/core/ext/filters/client_channel/client_channel.cc","file_line":3528,"referenced_errors":
[{"created":"@1565190346.229314131","description":"failed to connect to all addresses","file":"src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc","file_line":399,"grpc_status":14}]}"
Here is my client's code:
credentials = grpc.ssl_channel_credentials()
channel = grpc.secure_channel('127.0.0.1:9332', credentials)
stub = srv_pb2_grpc.SrvStub(channel)
response = stub.Action(msg='msg')
Any suggestions?
Update
Here is the output with GRPC_TRACE and GRPC_VERBOSITY environment variables.
os.environ['GRPC_TRACE'] = 'transport_security,tsi'
os.environ['GRPC_VERBOSITY'] = 'DEBUG'
I0808 11:24:21.077552208 28357 ev_epoll1_linux.cc:116] grpc epoll fd: 3
D0808 11:24:21.077580061 28357 ev_posix.cc:174] Using polling engine: epoll1
D0808 11:24:21.077622131 28357 dns_resolver_ares.cc:483] Using ares dns resolver
E0808 11:24:21.077633004 28357 trace.cc:65] Unknown trace var: 'transport_security'
I0808 11:24:21.402168083 28357 ssl_transport_security.cc:217] HANDSHAKE START - TLS client start_connect - !!!!!!
I0808 11:24:21.402353776 28357 ssl_transport_security.cc:217] LOOP - TLS client enter_early_data - !!!!!!
I0808 11:24:21.402387194 28357 ssl_transport_security.cc:217] LOOP - TLS client read_server_hello - !!!!!!
I0808 11:24:21.606877030 28357 ssl_transport_security.cc:217] LOOP - TLS client read_server_certifi - !!!!!!
I0808 11:24:21.607580283 28357 ssl_transport_security.cc:217] LOOP - TLS client read_certificate_st - !!!!!!
I0808 11:24:21.607612862 28357 ssl_transport_security.cc:217] LOOP - TLS client verify_server_certi - !!!!!!
I0808 11:24:21.613300944 28357 ssl_transport_security.cc:217] LOOP - TLS client read_server_key_exc - !!!!!!
I0808 11:24:21.614718867 28357 ssl_transport_security.cc:217] LOOP - TLS client read_certificate_re - !!!!!!
I0808 11:24:21.614762602 28357 ssl_transport_security.cc:217] LOOP - TLS client read_server_hello_d - !!!!!!
I0808 11:24:21.614782664 28357 ssl_transport_security.cc:217] LOOP - TLS client send_client_certifi - !!!!!!
I0808 11:24:21.614798210 28357 ssl_transport_security.cc:217] LOOP - TLS client send_client_key_exc - !!!!!!
I0808 11:24:21.616791101 28357 ssl_transport_security.cc:217] LOOP - TLS client send_client_certifi - !!!!!!
I0808 11:24:21.616817014 28357 ssl_transport_security.cc:217] LOOP - TLS client send_client_finishe - !!!!!!
I0808 11:24:21.616891441 28357 ssl_transport_security.cc:217] LOOP - TLS client finish_flight - !!!!!!
I0808 11:24:21.616916680 28357 ssl_transport_security.cc:217] LOOP - TLS client read_session_ticket - !!!!!!
I0808 11:24:21.811575115 28357 ssl_transport_security.cc:217] LOOP - TLS client process_change_ciph - !!!!!!
I0808 11:24:21.811645429 28357 ssl_transport_security.cc:217] LOOP - TLS client read_server_finishe - !!!!!!
I0808 11:24:21.811706483 28357 ssl_transport_security.cc:217] LOOP - TLS client finish_client_hands - !!!!!!
I0808 11:24:21.811745454 28357 ssl_transport_security.cc:217] LOOP - TLS client done - !!!!!!
I0808 11:24:21.811763000 28357 ssl_transport_security.cc:217] HANDSHAKE DONE - TLS client done - !!!!!!
D0808 11:24:21.811984315 28357 security_handshaker.cc:176] Security handshake failed: {"created":"@1565252661.811954686","description":"Cannot check peer: missing selected ALPN property.","file":"src/core/lib/security/security_connector/ssl_utils.cc","file_line":129}
I0808 11:24:21.812313765 28357 subchannel.cc:1031] Connect failed: {"created":"@1565252661.811954686","description":"Cannot check peer: missing selected ALPN property.","file":"src/core/lib/security/security_connector/ssl_utils.cc","file_line":129}
773
The gRPC client must also be configured to not use TLS. For more information, see Call insecure gRPC services with . NET Core client. HTTP/2 without TLS should only be used during app development.
On the server side, the server implements the methods declared by the service and runs a gRPC server to handle client calls. The gRPC infrastructure decodes incoming requests, executes service methods, and encodes service responses.
Insecure implies http. And TLS implies https. So there's no way "to use insecure grpc with https", as at that point it is then http. There is no double-encryption.
The recent versions of the PIP grpcio package (1.23.0) is compiled with an older version of OpenSSL that doesn't properly support ALPN, and GRPC requires ALPN as part of the specification.
If you pip install grpcio~=1.19.0 it will work, due to a different bug -- this version of grpcio doesn't require ALPN at all.
ALPN is a performance improvement only, so disabling it is not a security risk.
151
If you have control over the server, you should look into enabling ALPN. I was configuring an envoy proxy and came across the same error. Following the instructions on this comment fixed it for me: https://github.com/envoyproxy/envoy/issues/4291#issuecomment-417292285
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
