grpc: X509_STORE_add_cert errors need to be decoded and handled

Should this be an issue in the gRPC issue tracker?

Yes.

What version of gRPC and what language are you using?

> GRPC::VERSION
=> "1.2.5"

What operating system (Linux, Windows, …) and version?

Linux

What runtime / compiler are you using (e.g. python version or version of gcc)

Ruby

> RUBY_VERSION
=> "2.4.0"

What did you do?

I pointed GRPC at a CA bundle that included a duplicate certificate and then called a method on my stub:

creds = GRPC::Core::ChannelCredentials.new(File.read(ca_file))
stub = MyService::Stub.new(server, creds)
stub.some_method

What did you expect to see?

I would expect an exception not to be raised.

What did you see instead?

When calling a method on my stub I get a GRPC::DeadlineExceeded error, along with the following debugging output:

E0609 11:07:14.082544835   29191 ssl_transport_security.c:602] Could not add root certificate to ssl context.
E0609 11:07:14.082587138   29191 ssl_transport_security.c:1348] Cannot load server root certificates.
E0609 11:07:14.082924913   29191 security_connector.c:837]   Handshaker factory creation failed with TSI_INTERNAL_ERROR.
E0609 11:07:14.082939716   29191 secure_channel_create.c:127] Failed to create secure subchannel for secure name 'earthsmoke.service.cp1.consul:8080'
E0609 11:07:14.082947490   29191 secure_channel_create.c:158] Failed to create subchannel arguments during subchannel creation.
E0609 11:07:14.086947973   29191 ssl_transport_security.c:602] Could not add root certificate to ssl context.
E0609 11:07:14.086965201   29191 ssl_transport_security.c:1348] Cannot load server root certificates.
E0609 11:07:14.087280224   29191 security_connector.c:837]   Handshaker factory creation failed with TSI_INTERNAL_ERROR.
E0609 11:07:14.087291073   29191 secure_channel_create.c:127] Failed to create secure subchannel for secure name 'earthsmoke.service.cp1.consul:8080'
E0609 11:07:14.087298127   29191 secure_channel_create.c:158] Failed to create subchannel arguments during subchannel creation.

I tracked the issue down to the fact that my CA bundle contains one certificate twice.

Anything else we should know about your project / environment?

Nope.

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 16 (4 by maintainers)

Most upvoted comments

@justinburke Since your intern will work on root cert. It maybe a good candidate PR for warming up.

+1
jiangtaoli2016 on May 16, 2018
Read more comments on GitHub
← grpc: [Windows] pip install grpcio fails on Python 3.9
GRRLIB: 'cannot find -libgrrlib' →