Python client handshake failed with certificates generated with openssl

Question

Python client handshake failed with certificates generated with openssl

m-dnsk opened this issue 2 years ago · comments

m-dnsk commented 2 years ago

What version of gRPC and what language are you using?

grpcio 1.46.3

What operating system (Linux, Windows,...) and version?

Ubuntu 20.04

What runtime / compiler are you using (e.g. python version or version of gcc)

Python 3.8.10

What did you do?

I tried to create secure connection with C# server using certificate generated with openssl

openssl req -newkey rsa:4096 -nodes -sha512 -x509 -days 365 -nodes -out root.pem -keyout root_key.key

What did you expect to see?

I expected to see handshake done like below. It happens only if I pass ISRG Root X1 .pem certificate. Doesn't work with certificates generated with openssl.

I0609 13:53:53.554704862 24517 ssl_transport_security.cc:226] HANDSHAKE START - TLS client start_connect - !!!!!!
I0609 13:53:53.554810653 24517 ssl_transport_security.cc:226] LOOP - TLS client enter_early_data - !!!!!!
I0609 13:53:53.554820404 24517 ssl_transport_security.cc:226] LOOP - TLS client read_server_hello - !!!!!!
I0609 13:53:53.623411738 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_hello_retr - !!!!!!
I0609 13:53:53.623442108 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_hel - !!!!!!
I0609 13:53:53.623581620 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_encrypted_ - !!!!!!
I0609 13:53:53.623597190 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_certificat - !!!!!!
I0609 13:53:53.623605140 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_cer - !!!!!!
I0609 13:53:53.623900773 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_cer - !!!!!!
I0609 13:53:53.624211547 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_fin - !!!!!!
I0609 13:53:53.624241057 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client send_end_of_ear - !!!!!!
I0609 13:53:53.624246097 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client send_client_enc - !!!!!!
I0609 13:53:53.624250517 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client send_client_cer - !!!!!!
I0609 13:53:53.624256557 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client send_client_cer - !!!!!!
I0609 13:53:53.624261327 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client complete_second - !!!!!!
I0609 13:53:53.624287428 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client done - !!!!!!
I0609 13:53:53.624293308 24516 ssl_transport_security.cc:226] LOOP - TLS client finish_client_hands - !!!!!!
I0609 13:53:53.624301228 24516 ssl_transport_security.cc:226] LOOP - TLS client done - !!!!!!
I0609 13:53:53.624305998 24516 ssl_transport_security.cc:226] HANDSHAKE DONE - TLS client done - !!!!!!

What did you see instead?

I get handshake failed error. Everything works fine with C# and PHP client using the same certificates but not in python.

I0609 13:50:18.620465500 23800 ssl_transport_security.cc:226] HANDSHAKE START - TLS client start_connect - !!!!!!
I0609 13:50:18.620860005 23800 ssl_transport_security.cc:226] LOOP - TLS client enter_early_data - !!!!!!
I0609 13:50:18.620869775 23800 ssl_transport_security.cc:226] LOOP - TLS client read_server_hello - !!!!!!
I0609 13:50:18.658310464 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_hello_retr - !!!!!!
I0609 13:50:18.658339294 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_hel - !!!!!!
I0609 13:50:18.658464695 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_encrypted_ - !!!!!!
I0609 13:50:18.658482236 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_certificat - !!!!!!
I0609 13:50:18.658488666 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_cer - !!!!!!
I0609 13:50:18.658590997 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_cer - !!!!!!
E0609 13:50:18.658816929 23799 ssl_transport_security.cc:1495] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.

Anything else we should know about your project / environment?

Here is how I pass certificate

cert = open('root.pem', 'rb').read()
channel = grpc.secure_channel(
        target, 
        grpc.ssl_channel_credentials(cert))

ZhenLian · Answer 1 · Fri Jun 24 2022 04:33:10 GMT+0800 (China Standard Time)

I think this is the expected behavior. You root certificate should come from a Certificate Authority, which should be the entity that issues your server's certs. Creating your own root certificate won't work because it is not trusted by any public authority.

ZhenLian · Answer 2 · Fri Nov 25 2022 09:17:29 GMT+0800 (China Standard Time)

I am going to close this issue. Let me know if there is anything else coming up, thanks!

Jakub J · Answer 3 · Mon Jul 10 2023 15:37:44 GMT+0800 (China Standard Time)

What if I want to use self-signed certificate?