dcrwallet certs not accepted by grpc/boring ssl

[jcvernaleo]

This isn't really a bug in this project but I'm putting it here to aid in tracking it. Two related bugs are: grpc/grpc/pull/8601 grpc/grpc/issues/6722

The certs used by dcrwallet (https://github.com/decred/dcrutil/blob/master/certgen.go) are not accepted by grpc because the underlying ssl library does not accept them.

To test I built the latest boringssl on linux and attempted to connected to dcrwallet:

./bssl s_client -connect 127.0.0.1:9110
Connecting to 127.0.0.1:9110
Error while connecting: 141106832:error:1000006b:SSL routines:OPENSSL_internal:BAD_ECC_CERT:/home/jcv/code/boringssl/ssl/ssl_cert.c:821:

The corresponding openssl command:

openssl s_client -connect 127.0.0.1:9110

works fine.

[jcvernaleo]

An additional bit of info, going to the line with the error, it appears the actual check that fails is:

!tls1_check_group_id(ssl, group_id)

[jcvernaleo]

Apparently, can't close automatically with commit to another repo. This was fixed in decred/dcrutil#21

[jrick]

Still an issue even with P-384

[jcvernaleo]

grpc uses a very old (Feb 2016) version of boringssl. This is very different from the Nov 2016 version we were testing the command line with. A good test seems to be to build grpc with a newer boringssl but I'm still working out how to get node-pre-gyp to work with that.