![](/img/trans.png)
[英]GRPC C++ TLS Client grpc::SslCredentials() method not returning
[英]gRPC client not returning certificate
我正在嘗試使用 C++ 構建一個具有相互身份驗證的 gRPC 應用程序。 當我在服務器上設置GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
選項時,客戶端不會返回它的證書。 服務器顯示以下錯誤:
Handshake failed with fatal error SSL_ERROR_SSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate.
如果沒有此選項,則僅對服務器進行身份驗證並且通信正常工作。
證書鏈是一個自簽名根 CA,它簽署了一個中間 CA,它簽署了服務器和客戶端證書。 我使用以下命令並使用我在客戶端加載的相同證書測試了連接。
openssl s_client -connect localhost:50051 /
-cert client_cert.pem -key client_pkey.pem /
-CAfile ca-chain.pem /
-state -debug
這沒有給我任何連接錯誤。 ca-chain.pem 文件包含根 CA 和中間 CA 的串聯。
我試圖在 gRPC 上找到任何會導致這種情況的東西,但我發現 C++ 的文檔非常少......關於可能是什么問題的任何提示? 這是我正在使用的代碼示例。
客戶端代碼
/* Set the certificates */
grpc::SslCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs = loadCertificate(ca-chain);
ssl_opts.pem_private_key = loadCertificate(client_pkey);
ssl_opts.pem_cert_chain = loadCertificate(client_cert);
/* Override hostname */
grpc::ChannelArguments args;
args.SetSslTargetNameOverride("server");
/* Create the channel */
std::shared_ptr<grpc::ChannelCredentials> creds = grpc::SslCredentials(ssl_opts);
ClientImpl client(grpc::CreateCustomChannel("localhost:50051", creds, args));
服務器代碼
std::string server_address("0.0.0.0:50051");
ServerImpl service();
/* Set the certificates */
grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp = { x509_loadPEM(server_pkey).c_str(), x509_loadPEM(server_cert).c_str() };
grpc::SslServerCredentialsOptions ssl_opts(GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
//grpc::SslServerCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs = x509_loadPEM(ca_chain);
ssl_opts.pem_key_cert_pairs.push_back(pkcp);
std::shared_ptr<grpc::ServerCredentials> creds;
creds = grpc::SslServerCredentials(ssl_opts);
/* Start the server */
ServerBuilder builder;
builder.AddListeningPort(server_address, creds);
builder.RegisterService(&service);
m_server = builder.BuildAndStart();
更新
這是GRPC_TRACE
設置為transport_security,tsi和GRPC_VERBOSITY
的輸出以進行調試
服務器端
I0705 15:46:59.119538389 11583 ssl_transport_security.cc:220] HANDSHAKE START - before SSL initialization - PINIT
I0705 15:46:59.119574620 11583 ssl_transport_security.cc:220] LOOP - before SSL initialization - PINIT
I0705 15:46:59.119583946 11583 ssl_transport_security.cc:220] LOOP - before SSL initialization - PINIT
I0705 15:46:59.119670552 11583 ssl_transport_security.cc:220] LOOP - SSLv3/TLS read client hello - TRCH
I0705 15:46:59.119686772 11583 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write server hello - TWSH
I0705 15:46:59.119880739 11583 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write certificate - TWSC
I0705 15:46:59.122456250 11583 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write key exchange - TWSKE
I0705 15:46:59.122500516 11583 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write certificate re - TWCR
I0705 15:46:59.122517841 11583 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write server done - TWSD
I0705 15:46:59.124324895 11583 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write server done - TWSD
E0705 15:46:59.124354539 11583 ssl_transport_security.cc:1395] Handshake failed with fatal error SSL_ERROR_SSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate.
D0705 15:46:59.124376983 11583 security_handshaker.cc:184] Security handshake failed: {"created":"@1625514419.124366009","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":307,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
D0705 15:46:59.124406454 11583 chttp2_server.cc:124] Handshaking failed: {"created":"@1625514419.124366009","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":307,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
客戶端
I0705 15:46:59.119384991 11756 ssl_transport_security.cc:220] HANDSHAKE START - before SSL initialization - PINIT
I0705 15:46:59.119435471 11756 ssl_transport_security.cc:220] LOOP - before SSL initialization - PINIT
I0705 15:46:59.119479876 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write client hello - TWCH
I0705 15:46:59.122745953 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write client hello - TWCH
I0705 15:46:59.122815300 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS read server hello - TRSH
I0705 15:46:59.123253349 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS read server certific - TRSC
I0705 15:46:59.123607078 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS read server key exch - TRSKE
I0705 15:46:59.123813288 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS read server certific - TRCR
I0705 15:46:59.123855701 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS read server done - TRSD
I0705 15:46:59.123881908 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write client certifi - TWCC
I0705 15:46:59.124188107 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write client key exc - TWCKE
I0705 15:46:59.124227044 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write change cipher - TWCCS
I0705 15:46:59.124253244 11756 ssl_transport_security.cc:220] LOOP - SSLv3/TLS write finished - TWFIN
D0705 15:46:59.124435035 11756 security_handshaker.cc:184] Security handshake failed: {"created":"@1625514419.124412434","description":"Handshake read failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":397,"referenced_errors":[{"created":"@1625514419.124410133","description":"Socket closed","fd":9,"file":"src/core/lib/iomgr/tcp_posix.cc","file_line":781,"grpc_status":14,"target_address":"ipv6:[::1]:50051"}]}
I0705 15:46:59.124541128 11756 subchannel.cc:1033] Connect failed: {"created":"@1625514419.124412434","description":"Handshake read failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":397,"referenced_errors":[{"created":"@1625514419.124410133","description":"Socket closed","fd":9,"file":"src/core/lib/iomgr/tcp_posix.cc","file_line":781,"grpc_status":14,"target_address":"ipv6:[::1]:50051"}]}
來自 gRPC 團隊的您好! 代碼對我來說看起來不錯。 從錯誤消息來看,服務器似乎無法接收客戶端的證書,而您顯然已經在客戶端代碼中設置了它們。 您的客戶端證書是否可能存在一些客戶端堆棧無法識別的格式問題?
為了確保這不是客戶端證書的問題,您可以簡單地用服務器的證書(以及私鑰)替換客戶端證書,然后看看它是否有效,因為它們都由同一個 CA 簽名。
如果問題仍然存在,那么我們至少知道客戶端的證書是好的。 我可能會在我的最后重現,看看我是否能看到同樣的錯誤。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.