Python client handshake failed with certificates generated with openssl
m-dnsk opened this issue · comments
What version of gRPC and what language are you using?
- grpcio 1.46.3
What operating system (Linux, Windows,...) and version?
- Ubuntu 20.04
What runtime / compiler are you using (e.g. python version or version of gcc)
- Python 3.8.10
What did you do?
I tried to create secure connection with C# server using certificate generated with openssl
openssl req -newkey rsa:4096 -nodes -sha512 -x509 -days 365 -nodes -out root.pem -keyout root_key.key
What did you expect to see?
I expected to see handshake done like below. It happens only if I pass ISRG Root X1 .pem certificate. Doesn't work with certificates generated with openssl.
I0609 13:53:53.554704862 24517 ssl_transport_security.cc:226] HANDSHAKE START - TLS client start_connect - !!!!!!
I0609 13:53:53.554810653 24517 ssl_transport_security.cc:226] LOOP - TLS client enter_early_data - !!!!!!
I0609 13:53:53.554820404 24517 ssl_transport_security.cc:226] LOOP - TLS client read_server_hello - !!!!!!
I0609 13:53:53.623411738 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_hello_retr - !!!!!!
I0609 13:53:53.623442108 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_hel - !!!!!!
I0609 13:53:53.623581620 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_encrypted_ - !!!!!!
I0609 13:53:53.623597190 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_certificat - !!!!!!
I0609 13:53:53.623605140 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_cer - !!!!!!
I0609 13:53:53.623900773 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_cer - !!!!!!
I0609 13:53:53.624211547 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_fin - !!!!!!
I0609 13:53:53.624241057 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client send_end_of_ear - !!!!!!
I0609 13:53:53.624246097 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client send_client_enc - !!!!!!
I0609 13:53:53.624250517 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client send_client_cer - !!!!!!
I0609 13:53:53.624256557 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client send_client_cer - !!!!!!
I0609 13:53:53.624261327 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client complete_second - !!!!!!
I0609 13:53:53.624287428 24516 ssl_transport_security.cc:226] LOOP - TLS 1.3 client done - !!!!!!
I0609 13:53:53.624293308 24516 ssl_transport_security.cc:226] LOOP - TLS client finish_client_hands - !!!!!!
I0609 13:53:53.624301228 24516 ssl_transport_security.cc:226] LOOP - TLS client done - !!!!!!
I0609 13:53:53.624305998 24516 ssl_transport_security.cc:226] HANDSHAKE DONE - TLS client done - !!!!!!
What did you see instead?
I get handshake failed error. Everything works fine with C# and PHP client using the same certificates but not in python.
I0609 13:50:18.620465500 23800 ssl_transport_security.cc:226] HANDSHAKE START - TLS client start_connect - !!!!!!
I0609 13:50:18.620860005 23800 ssl_transport_security.cc:226] LOOP - TLS client enter_early_data - !!!!!!
I0609 13:50:18.620869775 23800 ssl_transport_security.cc:226] LOOP - TLS client read_server_hello - !!!!!!
I0609 13:50:18.658310464 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_hello_retr - !!!!!!
I0609 13:50:18.658339294 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_hel - !!!!!!
I0609 13:50:18.658464695 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_encrypted_ - !!!!!!
I0609 13:50:18.658482236 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_certificat - !!!!!!
I0609 13:50:18.658488666 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_cer - !!!!!!
I0609 13:50:18.658590997 23799 ssl_transport_security.cc:226] LOOP - TLS 1.3 client read_server_cer - !!!!!!
E0609 13:50:18.658816929 23799 ssl_transport_security.cc:1495] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
Anything else we should know about your project / environment?
Here is how I pass certificate
cert = open('root.pem', 'rb').read()
channel = grpc.secure_channel(
target,
grpc.ssl_channel_credentials(cert))
I think this is the expected behavior. You root certificate should come from a Certificate Authority, which should be the entity that issues your server's certs. Creating your own root certificate won't work because it is not trusted by any public authority.
I am going to close this issue. Let me know if there is anything else coming up, thanks!
What if I want to use self-signed certificate?