How to open a secure channel in python gRPC client without a client SSL certificate

Question

I have a grpc server (in Go) that has a valid TLS certificate and does not require client side TLS. For some reason I can not implement the client without mTLS in Python, even though I can do so in Golang.

In Python I have

os.environ["GRPC_VERBOSITY"] = "DEBUG"
# os.environ["GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"] = "/etc/ssl/certs/ca-bundle.crt"

channel = grpc.secure_channel(ADDR, grpc.ssl_channel_credentials())
grpc.channel_ready_future(channel).result(timeout=10)

This gives me the following error

D0513 08:02:08.147319164   21092 security_handshaker.cc:181] Security handshake failed: {"created":"@1652446928.147311309","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":377,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}

I can get this to work if I use SSL certificates by uncommenting the commented out line. I know for a fact that my server does not request, require or verify client certificates as The following Go code work perfectly

conn, err := grpc.DialContext(
    ctx,
    gRPCAddr,
    grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
)
dummyClient := dummy.NewDummyServiceClient(conn)
if _, err := dummyClient.Ping(context.Background(), &dummy.PingRequest{
    Ping: "go client ping",
}); err != nil {
    return fmt.Errorf("failed to ping: %w", err)
}

Is it possible one of the intermediate CAs is invalid? You should be able to test it using openssl's s_client, and trying to connect to the server ip/port. — Carl Mastrangelo, May 19 '22 at 03:56
@CarlMastrangelo I thought so too at first, but surely the intermediate CAs are valid because the go client is able to connect to the server with transport credentials (making the channel a secure one)? — prnvbn, May 19 '22 at 09:58
If my memory serves the Go client handles TLS differently (pure Go reimplementation) than the BoringSSL/OpenSSL library does (Used by Python and wrapped languages). The difference in TLS libraries may be why there's a difference in verification. Hence, checking with openssl s_client will show for certain. — Carl Mastrangelo, May 19 '22 at 11:14

score 2 · Answer 1 · answered May 20 '22 at 18:38

If the certificate on the server-side is publicly signed, you can use:

grpc.secure_channel(ORBIUM_ADDR, grpc.ssl_channel_credentials())

But that doesn't seem to work for you, so I guess the server certificate is signed by a root cert owned by you. You can pass in the root cert into the root_certificates field [1], and leave the other two fields empty. This use case is documented in our Authentication guide [2].

with open(os.environ["GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"], 'rb') as f:
    creds = grpc.ssl_channel_credentials(f.read())

channel = grpc.secure_channel(ORBIUM_ADDR, creds)

[1] https://grpc.github.io/grpc/python/grpc.html#grpc.ssl_channel_credentials

[2] https://grpc.io/docs/guides/auth/

Thank you for the answer, but as mentioned in the question, I have already considered this. I was looking for a way such that NO Certificate is required on the client side. This functionality is possible in the Go gRPC target. I was trying to emulate it in Python. — prnvbn, May 22 '22 at 09:18

score 1 · Accepted Answer · answered May 23 '22 at 09:59

https://grpc.github.io/grpc/python/_modules/grpc.html#secure_channel has the docs for channel = grpc.secure_channel(ORBIUM_ADDR, grpc.ssl_channel_credentials()). This function relies on the class channel, see docs https://grpc.github.io/grpc/python/_modules/grpc/aio/_channel.html.

Basically, class Channel wraps C code to provide a secure channel. That wrapped C code expects the certificate. If you can implement in C, it might be easiest to just change the C code.

score 0 · Answer 3 · answered Aug 08 '22 at 10:34

The answer given by @former_Epsilon answered my question, however the solution I came up with for the problem was different and I ended up using a secure_channel so I wanted to post an answer for that as well.

import os
import grpc

# configure this dict for your systems
system_certs_map = {
    "Windows": "<Path to system cert>",
    "Darwin": "$REQUESTS_CA_BUNDLE",
    "Linux": "/etc/ssl/certs/ca-bundle.crt",
}

os.environ["GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"] = system_certs_map[platform.system()]
channel_credentials = grpc.ssl_channel_credentials()

score -4 · Answer 4 · answered May 17 '22 at 00:04

-4

My guess based on Python GRPC doc https://grpc.github.io/grpc/python/grpc.html

channel = grpc.insecure_channel(ORBIUM_ADDR)

instead of:

channel = grpc.secure_channel(ORBIUM_ADDR, grpc.ssl_channel_credentials())

answered May 17 '22 at 00:04

Jan Garaj

25,598
3
38
59

1

The question specifies a secure channel. `insecure_channel` is insecure and has no TLS enabled. I still want TLS but I want to open a secure TLS enabled channel without any client side certs (because I only want server-side TLS) – prnvbn May 17 '22 at 08:21

How to open a secure channel in python gRPC client without a client SSL certificate

4 Answers4

Linked