Oh, and I should mention that the python interop client I tested did use grpc.ssl_target_name_override for the override: https://github.com/grpc/grpc/blob/v1.15.1/src/python/grpcio_tests/tests/interop/client.py#L103-L106
On Tue, Oct 2, 2018 at 9:14 AM Eric Anderson <ej...@google.com> wrote: > I've been able to reproduce that you must have the override for SNI to > work using the gcr.io/grpc-testing/grpc_interop_python:v1.15.0 image. Our > interop tests that require SNI are passing --server_host_override= > grpc-test.sandbox.googleapis.com, which should not be necessary. I've > filed https://github.com/grpc/grpc/issues/16759 . > > As part of that, I did verify (including with wireshark) that specifying > the override uses SNI. > > On Tue, Oct 2, 2018 at 9:08 AM Jiangtao Li <jiang...@google.com> wrote: > >> +Mehrdad, >> >> Could you please reproduce? >> In tsi_ssl_client_handshaker_factory_create_handshaker(), do a debug log >> on server_name_indication parameter. If this value is not set, I suspect >> something is wrong with plumbing from python to c core to tsi. >> If this value is set, it could be a bug in TSI, I will take a look then. >> >> Thanks, >> Jiangtao >> >> >> On Tue, Oct 2, 2018 at 8:57 AM Eric Anderson <ej...@google.com> wrote: >> >>> Jiangtao, if it's the case you must use the override to enable SNI, >>> that's a bug that needs to be fixed. We should be enabling SNI just by the >>> target string (so from the uri, "myserver.tunnel.dev" in the example). >>> >>> However, even if you do need to use the override, the code linked *does* use >>> the override. GRPC_SSL_TARGET_NAME_OVERRIDE_ARG is >>> grpc.ssl_target_name_override >>> <https://github.com/grpc/grpc/blob/3ee2919623dfcc11ac58e3e2a69c8986a2dd90eb/include/grpc/impl/codegen/grpc_types.h#L260> >>> . >>> >>> On Mon, Oct 1, 2018 at 9:10 PM jiangtao via grpc.io < >>> grpc-io@googlegroups.com> wrote: >>> >>>> In grpc c core and wrapped languages, the only way to set SNI is to >>>> use GRPC_SSL_TARGET_NAME_OVERRIDE_ARG. >>>> See >>>> https://github.com/grpc/grpc/blob/master/test/core/end2end/h2_ssl_cert_test.cc#L176 >>>> for example. >>>> >>>> Not sure about this python error though. >>>> >>>> On Thursday, September 20, 2018 at 5:55:52 PM UTC-7, yangc...@gmail.com >>>> wrote: >>>>> >>>>> How to set the TLS/SNI ( >>>>> https://en.wikipedia.org/wiki/Server_Name_Indication) in the the >>>>> Python/C++ gRPC client API? >>>>> >>>>> In other word, what's the equivalent of setting the `-servername` in >>>>> `openssl s_client`? >>>>> >>>>> >>>>> I have verified my TLS server works by using the correct flags on >>>>> `openssl s_client`: >>>>> ```sh >>>>> openssl s_client -connect "myserver.tunnel.dev:4443" -servername >>>>> "myserver.tunnel.dev" >>>>> ``` >>>>> >>>>> However, I wasn't able to setup the credentials correct with the >>>>> Python /C++ API: >>>>> >>>>> ```python >>>>> uri = "myserver.tunnel.dev:4443" >>>>> hostname = "myserver.tunnel.dev" >>>>> >>>>> creds = grpc.ssl_channel_credentials( >>>>> root_certificates=dev_cert) >>>>> # root_certificates=certificate_chain) >>>>> # certificate_chain=certificate_chain) >>>>> channel = grpc.secure_channel(uri, creds, >>>>> options=(('grpc.ssl_target_name_override', hostname),) >>>>> ) >>>>> >>>>> # This throws >>>>> >>>>> ```python >>>>> grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with >>>>> (StatusCode.UNAVAILABLE, Connect Failed)> >>>>> ``` >>>>> >>>>> ``` >>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "grpc.io" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to grpc-io+unsubscr...@googlegroups.com. >>>> To post to this group, send email to grpc-io@googlegroups.com. >>>> Visit this group at https://groups.google.com/group/grpc-io. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/grpc-io/b763a855-06b5-4c96-9a8d-2aca2b314802%40googlegroups.com >>>> <https://groups.google.com/d/msgid/grpc-io/b763a855-06b5-4c96-9a8d-2aca2b314802%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To post to this group, send email to grpc-io@googlegroups.com. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oMyK_MupaPFJOokeKY9_y-V12y0Q_jdd4%2BZyU3RHcihOQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
