堆棧內存溢出
  簡體   English   中英

gRPC 客戶端不返回證書

[英]gRPC client not returning certificate

 原文  2021-07-05 18:28:51       c++/ openssl/ grpc/ grpc-c++

問題描述

我正在嘗試使用 C++ 構建一個具有相互身份驗證的 gRPC 應用程序。 當我在服務器上設置GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY選項時,客戶端不會返回它的證書。 服務器顯示以下錯誤:

Handshake failed with fatal error SSL_ERROR_SSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate.

如果沒有此選項,則僅對服務器進行身份驗證並且通信正常工作。

證書鏈是一個自簽名根 CA,它簽署了一個中間 CA,它簽署了服務器和客戶端證書。 我使用以下命令並使用我在客戶端加載的相同證書測試了連接。

openssl s_client -connect localhost:50051 /
    -cert client_cert.pem -key client_pkey.pem /
    -CAfile ca-chain.pem /
    -state -debug

這沒有給我任何連接錯誤。 ca-chain.pem 文件包含根 CA 和中間 CA 的串聯。

我試圖在 gRPC 上找到任何會導致這種情況的東西,但我發現 C++ 的文檔非常少......關於可能是什么問題的任何提示? 這是我正在使用的代碼示例。

客戶端代碼

/* Set the certificates */
grpc::SslCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs = loadCertificate(ca-chain);
ssl_opts.pem_private_key = loadCertificate(client_pkey);
ssl_opts.pem_cert_chain = loadCertificate(client_cert);

/* Override hostname */
grpc::ChannelArguments args;
args.SetSslTargetNameOverride("server");

/* Create the channel */
std::shared_ptr<grpc::ChannelCredentials> creds = grpc::SslCredentials(ssl_opts);
ClientImpl client(grpc::CreateCustomChannel("localhost:50051", creds, args));

服務器代碼

std::string server_address("0.0.0.0:50051");
ServerImpl service();

/* Set the certificates */
grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp = { x509_loadPEM(server_pkey).c_str(), x509_loadPEM(server_cert).c_str() };
grpc::SslServerCredentialsOptions ssl_opts(GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);
//grpc::SslServerCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs = x509_loadPEM(ca_chain);
ssl_opts.pem_key_cert_pairs.push_back(pkcp);

std::shared_ptr<grpc::ServerCredentials> creds;
creds = grpc::SslServerCredentials(ssl_opts);

/* Start the server */
ServerBuilder builder;
builder.AddListeningPort(server_address, creds);
builder.RegisterService(&service);
m_server = builder.BuildAndStart();

更新

這是GRPC_TRACE設置為transport_security,tsiGRPC_VERBOSITY的輸出以進行調試

服務器端

I0705 15:46:59.119538389   11583 ssl_transport_security.cc:220]      HANDSHAKE START -      before SSL initialization  - PINIT 
I0705 15:46:59.119574620   11583 ssl_transport_security.cc:220]                 LOOP -      before SSL initialization  - PINIT 
I0705 15:46:59.119583946   11583 ssl_transport_security.cc:220]                 LOOP -      before SSL initialization  - PINIT 
I0705 15:46:59.119670552   11583 ssl_transport_security.cc:220]                 LOOP -    SSLv3/TLS read client hello  -  TRCH
I0705 15:46:59.119686772   11583 ssl_transport_security.cc:220]                 LOOP -   SSLv3/TLS write server hello  -  TWSH
I0705 15:46:59.119880739   11583 ssl_transport_security.cc:220]                 LOOP -    SSLv3/TLS write certificate  -  TWSC
I0705 15:46:59.122456250   11583 ssl_transport_security.cc:220]                 LOOP -   SSLv3/TLS write key exchange  - TWSKE
I0705 15:46:59.122500516   11583 ssl_transport_security.cc:220]                 LOOP - SSLv3/TLS write certificate re  -  TWCR
I0705 15:46:59.122517841   11583 ssl_transport_security.cc:220]                 LOOP -    SSLv3/TLS write server done  -  TWSD
I0705 15:46:59.124324895   11583 ssl_transport_security.cc:220]                 LOOP -    SSLv3/TLS write server done  -  TWSD
E0705 15:46:59.124354539   11583 ssl_transport_security.cc:1395] Handshake failed with fatal error SSL_ERROR_SSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate.
D0705 15:46:59.124376983   11583 security_handshaker.cc:184] Security handshake failed: {"created":"@1625514419.124366009","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":307,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
D0705 15:46:59.124406454   11583 chttp2_server.cc:124]       Handshaking failed: {"created":"@1625514419.124366009","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":307,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}

客戶端

I0705 15:46:59.119384991   11756 ssl_transport_security.cc:220]      HANDSHAKE START -      before SSL initialization  - PINIT 
I0705 15:46:59.119435471   11756 ssl_transport_security.cc:220]                 LOOP -      before SSL initialization  - PINIT 
I0705 15:46:59.119479876   11756 ssl_transport_security.cc:220]                 LOOP -   SSLv3/TLS write client hello  -  TWCH
I0705 15:46:59.122745953   11756 ssl_transport_security.cc:220]                 LOOP -   SSLv3/TLS write client hello  -  TWCH
I0705 15:46:59.122815300   11756 ssl_transport_security.cc:220]                 LOOP -    SSLv3/TLS read server hello  -  TRSH
I0705 15:46:59.123253349   11756 ssl_transport_security.cc:220]                 LOOP - SSLv3/TLS read server certific  -  TRSC
I0705 15:46:59.123607078   11756 ssl_transport_security.cc:220]                 LOOP - SSLv3/TLS read server key exch  - TRSKE
I0705 15:46:59.123813288   11756 ssl_transport_security.cc:220]                 LOOP - SSLv3/TLS read server certific  -  TRCR
I0705 15:46:59.123855701   11756 ssl_transport_security.cc:220]                 LOOP -     SSLv3/TLS read server done  -  TRSD
I0705 15:46:59.123881908   11756 ssl_transport_security.cc:220]                 LOOP - SSLv3/TLS write client certifi  -  TWCC
I0705 15:46:59.124188107   11756 ssl_transport_security.cc:220]                 LOOP - SSLv3/TLS write client key exc  - TWCKE
I0705 15:46:59.124227044   11756 ssl_transport_security.cc:220]                 LOOP - SSLv3/TLS write change cipher   - TWCCS
I0705 15:46:59.124253244   11756 ssl_transport_security.cc:220]                 LOOP -       SSLv3/TLS write finished  - TWFIN
D0705 15:46:59.124435035   11756 security_handshaker.cc:184] Security handshake failed: {"created":"@1625514419.124412434","description":"Handshake read failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":397,"referenced_errors":[{"created":"@1625514419.124410133","description":"Socket closed","fd":9,"file":"src/core/lib/iomgr/tcp_posix.cc","file_line":781,"grpc_status":14,"target_address":"ipv6:[::1]:50051"}]}
I0705 15:46:59.124541128   11756 subchannel.cc:1033]         Connect failed: {"created":"@1625514419.124412434","description":"Handshake read failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":397,"referenced_errors":[{"created":"@1625514419.124410133","description":"Socket closed","fd":9,"file":"src/core/lib/iomgr/tcp_posix.cc","file_line":781,"grpc_status":14,"target_address":"ipv6:[::1]:50051"}]}

1 個解決方案

解決方案1
 1 已采納  2021-07-07 19:08:06

來自 gRPC 團隊的您好! 代碼對我來說看起來不錯。 從錯誤消息來看,服務器似乎無法接收客戶端的證書,而您顯然已經在客戶端代碼中設置了它們。 您的客戶端證書是否可能存在一些客戶端堆棧無法識別的格式問題?

為了確保這不是客戶端證書的問題,您可以簡單地用服務器的證書(以及私鑰)替換客戶端證書,然后看看它是否有效,因為它們都由同一個 CA 簽名。

如果問題仍然存在,那么我們至少知道客戶端的證書是好的。 我可能會在我的最后重現,看看我是否能看到同樣的錯誤。

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 GRPC C++ TLS 客戶端 grpc::SslCredentials() 方法未返回 為什么 gRPC C++ 客戶端在沒有顯式服務器的 SSL 證書的情況下不起作用,就像在示例中一樣? 空 grpc 客戶端通道 客戶端上的 Grpc 訪問沖突 gRPC客戶端流 gRPC和etcd客戶端 在grpc服務器端調用時檢索SSL證書 OpenSSL客戶端未發送客戶端證書 Grpc:Grpc C ++客戶端和Grpc Java服務器,異步雙向流 攔截服務器和客戶端中的gRPC C ++調用
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM