I've been able to reproduce that you must have the override for SNI to work using the gcr.io/grpc-testing/grpc_interop_python:v1.15.0 image. Our interop tests that require SNI are passing --server_host_override= grpc-test.sandbox.googleapis.com, which should not be necessary. I've filed https://github.com/grpc/grpc/issues/16759 .
As part of that, I did verify (including with wireshark) that specifying the override uses SNI. On Tue, Oct 2, 2018 at 9:08 AM Jiangtao Li <jiang...@google.com> wrote: > +Mehrdad, > > Could you please reproduce? > In tsi_ssl_client_handshaker_factory_create_handshaker(), do a debug log > on server_name_indication parameter. If this value is not set, I suspect > something is wrong with plumbing from python to c core to tsi. > If this value is set, it could be a bug in TSI, I will take a look then. > > Thanks, > Jiangtao > > > On Tue, Oct 2, 2018 at 8:57 AM Eric Anderson <ej...@google.com> wrote: > >> Jiangtao, if it's the case you must use the override to enable SNI, >> that's a bug that needs to be fixed. We should be enabling SNI just by the >> target string (so from the uri, "myserver.tunnel.dev" in the example). >> >> However, even if you do need to use the override, the code linked *does* use >> the override. GRPC_SSL_TARGET_NAME_OVERRIDE_ARG is >> grpc.ssl_target_name_override >> <https://github.com/grpc/grpc/blob/3ee2919623dfcc11ac58e3e2a69c8986a2dd90eb/include/grpc/impl/codegen/grpc_types.h#L260> >> . >> >> On Mon, Oct 1, 2018 at 9:10 PM jiangtao via grpc.io < >> grpc-io@googlegroups.com> wrote: >> >>> In grpc c core and wrapped languages, the only way to set SNI is to >>> use GRPC_SSL_TARGET_NAME_OVERRIDE_ARG. >>> See >>> https://github.com/grpc/grpc/blob/master/test/core/end2end/h2_ssl_cert_test.cc#L176 >>> for example. >>> >>> Not sure about this python error though. >>> >>> On Thursday, September 20, 2018 at 5:55:52 PM UTC-7, yangc...@gmail.com >>> wrote: >>>> >>>> How to set the TLS/SNI ( >>>> https://en.wikipedia.org/wiki/Server_Name_Indication) in the the >>>> Python/C++ gRPC client API? >>>> >>>> In other word, what's the equivalent of setting the `-servername` in >>>> `openssl s_client`? >>>> >>>> >>>> I have verified my TLS server works by using the correct flags on >>>> `openssl s_client`: >>>> ```sh >>>> openssl s_client -connect "myserver.tunnel.dev:4443" -servername >>>> "myserver.tunnel.dev" >>>> ``` >>>> >>>> However, I wasn't able to setup the credentials correct with the Python >>>> /C++ API: >>>> >>>> ```python >>>> uri = "myserver.tunnel.dev:4443" >>>> hostname = "myserver.tunnel.dev" >>>> >>>> creds = grpc.ssl_channel_credentials( >>>> root_certificates=dev_cert) >>>> # root_certificates=certificate_chain) >>>> # certificate_chain=certificate_chain) >>>> channel = grpc.secure_channel(uri, creds, >>>> options=(('grpc.ssl_target_name_override', hostname),) >>>> ) >>>> >>>> # This throws >>>> >>>> ```python >>>> grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with >>>> (StatusCode.UNAVAILABLE, Connect Failed)> >>>> ``` >>>> >>>> ``` >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "grpc.io" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to grpc-io+unsubscr...@googlegroups.com. >>> To post to this group, send email to grpc-io@googlegroups.com. >>> Visit this group at https://groups.google.com/group/grpc-io. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/grpc-io/b763a855-06b5-4c96-9a8d-2aca2b314802%40googlegroups.com >>> <https://groups.google.com/d/msgid/grpc-io/b763a855-06b5-4c96-9a8d-2aca2b314802%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To post to this group, send email to grpc-io@googlegroups.com. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oPk3fJMiFKiM2Rtj0NukUi3FvDxAs8JxBg8_2aMvQTQLA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
