Re: [grpc-io] PHP and Python client fails SSL connection

2019-02-10 Thread 'Srini Polavarapu' via grpc.io 
You are very likely running into this issue 
. This fix will be available in 
gRPC release 1.19.0. You can try nightly pkgs 
from https://packages.grpc.io/ or wait for 1.19 RC coming out early next 
week.

On Wednesday, February 6, 2019 at 10:52:41 AM UTC-8, jis...@wepay.com wrote:
>
> Yes, we have tried to use that option but does not change anything. Here 
> are the grpc version we are using.
>
> For PHP we are using the packages php56-php-pecl-grpc (version 1.17.0) and 
> php56-php-pecl-protobuf (version 3.6.1) and openssl (version 1.0.2k-fips). 
> The Java dropwizard-grpc version for the server is 1.1.3-1. The Java 
> grpc-netty, grpc-protobuf, and grpc-stub versions for the Java client is 
> 1.13.1.
>
> On Tuesday, February 5, 2019 at 6:03:02 PM UTC-8, Stanley Cheung wrote:
>>
>> Did you try supplying the "grpc.ssl_target_name_override" key to the 
>> options?
>>
>> On Tue, Feb 5, 2019 at 4:01 PM jisooh via grpc.io <
>> grp...@googlegroups.com> wrote:
>>
>>> Hello,
>>>
>>>
>>> We are currently facing an issue with trying to connect our PHP gRPC 
>>> client with SSL to our Java gRPC server. The gRPC service we are trying to 
>>> connect to is running on a service mesh (linkerd/namerd), and the call 
>>> first hits a linkerd instance that routes to the service.
>>>
>>>
>>> When we run a Java client using the trusted certificate, it is able to 
>>> connect to the server; however, with a Python and PHP client, the SSL 
>>> connection fails even with the same cert.
>>>
>>>
>>> Java client code:
>>>
>>>
>>> ManagedChannel channel = NettyChannelBuilder.forAddress(host, port) 
>>> .overrideAuthority(‘cert-
>>> common-name’) 
>>> .sslContext(GrpcSslContexts.
>>> forClient().trustManager(new File(‘path/to/cert’)).build()) 
>>> .build();
>>>
>>>
>>>
>>> Python code:
>>>
>>>
>>> credentials = grpc.ssl_channel_credentials(open(‘path/to/cert’).read())
>>> channel = grpc.secure_channel(host + str(port), credentials, options=((
>>> 'grpc.default_authority', ‘cert-common-name’,),))
>>>
>>>
>>>
>>> PHP code:
>>>
>>>
>>>
>>> $channel_credentials = \Grpc\ChannelCredentials::createSsl(
>>> file_get_contents(‘path/to/cert’));
>>> $channel = new \Grpc\Channel($hostname, 
>>> [ 
>>> 'grpc_target_persist_bound' => 2, 
>>> 'grpc.default_authority' => ‘cert-common-name’, 
>>> 'credentials' => $channel_credentials
>>> ]);
>>>
>>>
>>>
>>> We are interested in fixing the problem for PHP at the moment. Our PHP 
>>> client runs in a CentOS 7 docker container with nginx + php-fpm.
>>>
>>>
>>> We have tried to make the OS trust the certificate by using 
>>> update-ca-trust. Running *openssl s_client -connect host:port* returns:
>>>

 verify error:num=2:unable to get issuer certificate
>>>
>>>
>>> We receive the following error when calling the server with the created 
>>> client for PHP:
>>>
>>>
>>> ssl_transport_security.cc:1229] Handshake failed with fatal error 
 SSL_ERROR_SSL: error:107d:SSL 
 routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
>>>
>>>
>>> With the gRPC logs, we can see that the connection fails when it tries 
>>> to call the security handshake.
>>>
>>>
>>> We are not sure why the Java client is able to connect to the server 
>>> while the PHP and Python clients cannot with the same cert.
>>>
>>>
>>> Has anyone ran into these issues before? It would be helpful if anyone 
>>> has some information on this as this is currently a high priority blocker 
>>> for us.
>>>
>>>
>>> Thank you.
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "grpc.io" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to grpc-io+u...@googlegroups.com.
>>> To post to this group, send email to grp...@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/grpc-io.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/grpc-io/ce0546a9-8a0e-41b1-9f0d-25ff2a415d8b%40googlegroups.com
>>>  
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/e3a4daf7-ff15-4765-95d1-33d1a6c2e5a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [grpc-io] PHP and Python client fails SSL connection

2019-02-06 Thread jisooh via grpc.io 
Yes, we have tried to use that option but does not change anything. Here 
are the grpc version we are using.

For PHP we are using the packages php56-php-pecl-grpc (version 1.17.0) and 
php56-php-pecl-protobuf (version 3.6.1) and openssl (version 1.0.2k-fips). 
The Java dropwizard-grpc version for the server is 1.1.3-1. The Java 
grpc-netty, grpc-protobuf, and grpc-stub versions for the Java client is 
1.13.1.

On Tuesday, February 5, 2019 at 6:03:02 PM UTC-8, Stanley Cheung wrote:
>
> Did you try supplying the "grpc.ssl_target_name_override" key to the 
> options?
>
> On Tue, Feb 5, 2019 at 4:01 PM jisooh via grpc.io  > wrote:
>
>> Hello,
>>
>>
>> We are currently facing an issue with trying to connect our PHP gRPC 
>> client with SSL to our Java gRPC server. The gRPC service we are trying to 
>> connect to is running on a service mesh (linkerd/namerd), and the call 
>> first hits a linkerd instance that routes to the service.
>>
>>
>> When we run a Java client using the trusted certificate, it is able to 
>> connect to the server; however, with a Python and PHP client, the SSL 
>> connection fails even with the same cert.
>>
>>
>> Java client code:
>>
>>
>> ManagedChannel channel = NettyChannelBuilder.forAddress(host, port) 
>> .overrideAuthority(‘cert-
>> common-name’) 
>> .sslContext(GrpcSslContexts.
>> forClient().trustManager(new File(‘path/to/cert’)).build()) 
>> .build();
>>
>>
>>
>> Python code:
>>
>>
>> credentials = grpc.ssl_channel_credentials(open(‘path/to/cert’).read())
>> channel = grpc.secure_channel(host + str(port), credentials, options=((
>> 'grpc.default_authority', ‘cert-common-name’,),))
>>
>>
>>
>> PHP code:
>>
>>
>>
>> $channel_credentials = \Grpc\ChannelCredentials::createSsl(
>> file_get_contents(‘path/to/cert’));
>> $channel = new \Grpc\Channel($hostname, 
>> [ 
>> 'grpc_target_persist_bound' => 2, 
>> 'grpc.default_authority' => ‘cert-common-name’, 
>> 'credentials' => $channel_credentials
>> ]);
>>
>>
>>
>> We are interested in fixing the problem for PHP at the moment. Our PHP 
>> client runs in a CentOS 7 docker container with nginx + php-fpm.
>>
>>
>> We have tried to make the OS trust the certificate by using 
>> update-ca-trust. Running *openssl s_client -connect host:port* returns:
>>
>>>
>>> verify error:num=2:unable to get issuer certificate
>>
>>
>> We receive the following error when calling the server with the created 
>> client for PHP:
>>
>>
>> ssl_transport_security.cc:1229] Handshake failed with fatal error 
>>> SSL_ERROR_SSL: error:107d:SSL 
>>> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
>>
>>
>> With the gRPC logs, we can see that the connection fails when it tries to 
>> call the security handshake.
>>
>>
>> We are not sure why the Java client is able to connect to the server 
>> while the PHP and Python clients cannot with the same cert.
>>
>>
>> Has anyone ran into these issues before? It would be helpful if anyone 
>> has some information on this as this is currently a high priority blocker 
>> for us.
>>
>>
>> Thank you.
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "grpc.io" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to grpc-io+u...@googlegroups.com .
>> To post to this group, send email to grp...@googlegroups.com 
>> .
>> Visit this group at https://groups.google.com/group/grpc-io.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/grpc-io/ce0546a9-8a0e-41b1-9f0d-25ff2a415d8b%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/8246b8ee-0e15-48af-bf6c-8d35c0d6edb5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [grpc-io] PHP and Python client fails SSL connection

2019-02-05 Thread 'Stanley Cheung' via grpc.io 
Did you try supplying the "grpc.ssl_target_name_override" key to the
options?

On Tue, Feb 5, 2019 at 4:01 PM jisooh via grpc.io 
wrote:

> Hello,
>
>
> We are currently facing an issue with trying to connect our PHP gRPC
> client with SSL to our Java gRPC server. The gRPC service we are trying to
> connect to is running on a service mesh (linkerd/namerd), and the call
> first hits a linkerd instance that routes to the service.
>
>
> When we run a Java client using the trusted certificate, it is able to
> connect to the server; however, with a Python and PHP client, the SSL
> connection fails even with the same cert.
>
>
> Java client code:
>
>
> ManagedChannel channel = NettyChannelBuilder.forAddress(host, port)
> .overrideAuthority(‘cert-
> common-name’)
> .sslContext(GrpcSslContexts.
> forClient().trustManager(new File(‘path/to/cert’)).build())
> .build();
>
>
>
> Python code:
>
>
> credentials = grpc.ssl_channel_credentials(open(‘path/to/cert’).read())
> channel = grpc.secure_channel(host + str(port), credentials, options=((
> 'grpc.default_authority', ‘cert-common-name’,),))
>
>
>
> PHP code:
>
>
>
> $channel_credentials = \Grpc\ChannelCredentials::createSsl(
> file_get_contents(‘path/to/cert’));
> $channel = new \Grpc\Channel($hostname,
> [
> 'grpc_target_persist_bound' => 2,
> 'grpc.default_authority' => ‘cert-common-name’,
> 'credentials' => $channel_credentials
> ]);
>
>
>
> We are interested in fixing the problem for PHP at the moment. Our PHP
> client runs in a CentOS 7 docker container with nginx + php-fpm.
>
>
> We have tried to make the OS trust the certificate by using
> update-ca-trust. Running *openssl s_client -connect host:port* returns:
>
>>
>> verify error:num=2:unable to get issuer certificate
>
>
> We receive the following error when calling the server with the created
> client for PHP:
>
>
> ssl_transport_security.cc:1229] Handshake failed with fatal error
>> SSL_ERROR_SSL: error:107d:SSL
>> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
>
>
> With the gRPC logs, we can see that the connection fails when it tries to
> call the security handshake.
>
>
> We are not sure why the Java client is able to connect to the server while
> the PHP and Python clients cannot with the same cert.
>
>
> Has anyone ran into these issues before? It would be helpful if anyone has
> some information on this as this is currently a high priority blocker for
> us.
>
>
> Thank you.
>
> --
> You received this message because you are subscribed to the Google Groups "
> grpc.io" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to grpc-io+unsubscr...@googlegroups.com.
> To post to this group, send email to grpc-io@googlegroups.com.
> Visit this group at https://groups.google.com/group/grpc-io.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/grpc-io/ce0546a9-8a0e-41b1-9f0d-25ff2a415d8b%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/CAEteGX0Y6SbhtADMNmi%2BepTzGY9ZR3fR%3DBUQWOg8bpMBs%3DmGqg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[grpc-io] PHP and Python client fails SSL connection

2019-02-05 Thread jisooh via grpc.io 


Hello,


We are currently facing an issue with trying to connect our PHP gRPC client 
with SSL to our Java gRPC server. The gRPC service we are trying to connect 
to is running on a service mesh (linkerd/namerd), and the call first hits a 
linkerd instance that routes to the service.


When we run a Java client using the trusted certificate, it is able to 
connect to the server; however, with a Python and PHP client, the SSL 
connection fails even with the same cert.


Java client code:


ManagedChannel channel = NettyChannelBuilder.forAddress(host, port) 
.overrideAuthority(‘cert-common-
name’) 
.sslContext(GrpcSslContexts.
forClient().trustManager(new File(‘path/to/cert’)).build()) 
.build();



Python code:


credentials = grpc.ssl_channel_credentials(open(‘path/to/cert’).read())
channel = grpc.secure_channel(host + str(port), credentials, options=((
'grpc.default_authority', ‘cert-common-name’,),))



PHP code:



$channel_credentials = \Grpc\ChannelCredentials::createSsl(file_get_contents
(‘path/to/cert’));
$channel = new \Grpc\Channel($hostname, 
[ 
'grpc_target_persist_bound' => 2, 
'grpc.default_authority' => ‘cert-common-name’, 
'credentials' => $channel_credentials
]);



We are interested in fixing the problem for PHP at the moment. Our PHP 
client runs in a CentOS 7 docker container with nginx + php-fpm.


We have tried to make the OS trust the certificate by using 
update-ca-trust. Running *openssl s_client -connect host:port* returns:

>
> verify error:num=2:unable to get issuer certificate


We receive the following error when calling the server with the created 
client for PHP:


ssl_transport_security.cc:1229] Handshake failed with fatal error 
> SSL_ERROR_SSL: error:107d:SSL 
> routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED


With the gRPC logs, we can see that the connection fails when it tries to 
call the security handshake.


We are not sure why the Java client is able to connect to the server while 
the PHP and Python clients cannot with the same cert.


Has anyone ran into these issues before? It would be helpful if anyone has 
some information on this as this is currently a high priority blocker for 
us.


Thank you.

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/ce0546a9-8a0e-41b1-9f0d-25ff2a415d8b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.