I want to create a grpc channel to a source that I trust, but whose certificate I lack. Setting up a secure channel with default credentials fails:
import gprc
ssh_channel = grpc.secure_channel(<gprc url>, grpc.ssl_channel_credentials())
grpc.channel_ready_future(ssh_channel).result()
Results in:
E1017 10:05:15.783011100 11539 ssl_transport_security.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
E1017 10:05:16.846366639 11539 ssl_transport_security.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
E1017 10:05:18.688887874 11539 ssl_transport_security.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
E1017 10:05:21.557399186 11539 ssl_transport_security.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
I know this is possible, since e.g. in Java one would do the following:
import io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.NettyChannelBuilder;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
...
sslContext = GrpcSslContexts.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE).build();
channel = NettyChannelBuilder.forAddress(<gprc url>, 443).sslContext(sslContext).build();
However I haven't found any similar way for Python.
The documentation of grpc.secure_channel
also describes an option
argument, that according to the documentation is:
An optional list of key-value pairs (channel args in gRPC Core runtime) to configure the channel.
A reference to channel args here does not provide any help either. Any ideas?
UPDATE: (19/01/14):
There is an open pull request to add this option in the Python code, but it seems stuck in a PR for months now: https://github.com/grpc/grpc/pull/12656
You may have to fetch the certificate from the site in a separate step. If it can be a one-off, just use your browser and save the cert somewhere convenient. Otherwise, see How can I retrieve the TLS/SSL peer certificate of a remote host using python?.
In my case I saved the cert with my browser and did the following (I needed to override the target name with the one in the cert as it was self-signed and the domain name didn't match):
with open(cert_path, 'rb') as f:
cert_bytes = f.read()
credentials = grpc.ssl_channel_credentials(cert_bytes)
# Deal with cert being self-signed:
cert_cn = "cn.from.cert.com" # or parse it out of the cert data
options = (('grpc.ssl_target_name_override', cert_cn,),)
channnel = grpc.secure_channel(target, credentials, options)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With