search

elixir-grpc / grpc

An Elixir implementation of gRPC
https://hex.pm/packages/grpc
Apache License 2.0
1.4k stars 214 forks source link

Cannot get mutual TLS to work with gRPC over Mint adapter, even though I can get it working with native Mint adapter. Syntax? #393

Open vegabook opened 1 day ago

vegabook commented 1 day ago

Hello!

When I use elixir Mint directly using mutual TLS, it works fine, but if I try to use the Mint adapter with elixir-grpc, it doesn't.

This works: https://github.com/user-attachments/assets/095e5450-ae2b-49e5-86fe-eb3f300fbc50 (gives no errors server side)

But this doesn't: https://github.com/user-attachments/assets/0373023a-df53-40de-b4f0-0b9b9c056034 Server side error: https://github.com/user-attachments/assets/f985d534-6964-45b9-b726-aef6e0ffa94d

I've tried putting the configs into my config.exs (duplicating because syntax is not obvious from docs): https://github.com/user-attachments/assets/79be4544-938c-4f18-832f-a4afaca2aa7d

Any idea how I can get the working mint connection, working with elixir-grpc?

I have this working with mutual TLS in Python just for guide: https://github.com/vegabook/gBLP/blob/main/gBLP/client_gblp.py#L135-L166

Here is the text of the connection code:

channel = GRPC.Stub.connect("signaliser.com:50051", adapter: GRPC.Client.Adapters.Mint, custom_opts: [certfile: "/home/tbrowne/scratch/client_combined.pem", cacertfile: "/home/tbrowne/scratch/cacert.pem"]) |> elem(1)

I should add that the WRONG_VERSION_NUMBER error is the same one I was getting when my python code was not sending keys and certs properly, and is also what happens if you send no keys and certs.

Note that even if you do not provide any certs whatsoever, it still appears to connect: https://github.com/user-attachments/assets/3c26c12e-91f0-49dc-a7c5-27a8ee511b4c

whereas if you do the same on Mint without gRPC you definitely get an error:

https://github.com/user-attachments/assets/aaa565cf-387b-422d-ae73-0bfe31991df0

How do I get the working Mint config to be passed via elixir-grpc? Or maybe Gun adapter can do this?

(just for guide if you want to generate a CA authority and server and client authority, this python code will do it)

polvalente commented 22 hours ago

Hi, @vegabook. The prints are really hard for me to read. Could you paste those as code blocks instead next time?

I believe the error stems from you using an invalid :custom_opts key to pass the credentials to the Stub adapter. You might want adapter_opts: [transport_opts: ...] instead.

polvalente commented 22 hours ago

I've edited the issue to remove the print renders, but they are viewable if you click the remaining links.

vegabook commented 15 hours ago

I've edited the issue to remove the print renders, but they are viewable if you click the remaining links.

Apols yeah I've gone a bit crazy on wezterm but I thought the syntax highlighting might help.

Okay I've tried this:

iex(32)> channel = GRPC.Stub.connect("signaliser.com:50051", adapter: GRPC.Client.Adapters.Mint, transport_opts: [certfile: "/home/tbrowne/scratch/client_combined.pem", cacertfile: "/home/tbrowne/scratch/cacert.pem"]) |> elem(1)
%GRPC.Channel{
  host: "signaliser.com",
  port: 50051,
  scheme: "http",
  cred: nil,
  adapter: GRPC.Client.Adapters.Mint,
  adapter_payload: %{conn_pid: #PID<0.1005.0>},
  codec: GRPC.Codec.Proto,
  interceptors: [],
  compressor: nil,
  accepted_compressors: [],
  headers: []
}

But server side I still get the error:

E0000 00:00:1732705949.860719    6576 ssl_transport_security.cc:1650] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.

What I'll do is I'll try to run non-gRPC mTLS over Mint adapter that I am claiming works (because it doesn't produce the above error), and actually make an https request to ensure it is indeed working properly. Then at least I'll have ascertained that Mint is working correctly.

Another thing I"ll try is Linux <-> Linux as opposed to currently Linux client Windows server. Sometimes Windows is the problem. Unfortunately I do need the server to run on windows because Bloomberg only runs on windows, but at least that might further narrow down the issue or confirm that this is not the problem.

polvalente commented 15 hours ago

FYI if you use ```elixir for the code block we do have syntax highlighting

polvalente commented 15 hours ago

My recommendation is that you try and compare the options that Mint is receiving inside the adapter (change locally and remember to do mix deps.compile grpc afterwards) with the ones that you're passing in the standalone version.

vegabook commented 14 hours ago

My recommendation is that you try and compare the options that Mint is receiving inside the adapter (change locally and remember to do mix deps.compile grpc afterwards) with the ones that you're passing in the standalone version.

Okay so I'm going to check which options Mint is receiving from elixir-grpc? How do I do that?

Also why do I need deps recompile? Doesn't it pick up the options from the config file and/or the passed transport_opts parameter?

polvalente commented 13 hours ago

I mean that you can add dbg or similar calls inside the code in the deps folder and recompile as the changes are applied.