Getting SSLV3_ALERT_HANDSHAKE_FAILURE when running behind proxies

[RajatDevSharma]

Environment details

• OS type and version: MacOs 10.12.6 (Tried to run on CentOs as well)
• Python version: 3.7.1
• pip version: 10.0.1
• google-cloud-pubsub version: 2.1.0
• Proxy type: SSL Intercept proxy (Squid 3.x)

Steps to reproduce

1. Run a simple pub/sub chatbot mentioned at: https://github.com/googleworkspace/hangouts-chat-samples/tree/master/python/pub-sub-bot
2. Set proxies using os:

   os.environ['http_proxy'] = 'http://xx.xx.xx:PORT'
   os.environ['https_proxy'] = 'http://xx.xx.xx:PORT'

   3. Run: bot.py

Code example

# !/usr/bin/env python3
# encoding: utf-8

import logging, sys, os, json, time
from google.cloud import pubsub_v1
from google.auth import default

log = logging.getLogger(__name__)

os.environ['http_proxy'] = 'http://xx.xx.xx:PORT'
os.environ['https_proxy'] = 'http://xx.xx.xx:PORT'
SUBSCRIPTION_ID = 'xxx'
os.environ['GOOGLE_APPLICATION_CREDENTIALS']='xxx'
# os.environ['GRPC_DEFAULT_SSL_ROOTS_FILE_PATH'] = '/xxx/cacert.crt'

def init_client():
    try:
        credentials, project_id = default()
        subscriber = pubsub_v1.SubscriberClient()
        subscription_path = subscriber.subscription_path(
            project_id, SUBSCRIPTION_ID)
    except Exception as init_err:
        log.error(f'Error in initializing Pub/Sub client: {init_err}')
        sys.exit(1)
    return subscriber, subscription_path

def receive_messages():
    log.info('Subscriber Started')
    # Initialize Client
    sub, sub_path = init_client()

    # Call Back to process pulled messages
    def callback(message):
        log.info(f'Received message: {message.data}')
        event = json.loads(message.data)
        ack = True

        # process_message(event)

        if ack:
            message.ack()
            log.info('Completed Request')

    sub.subscribe(sub_path, callback=callback)
    logging.info(f'Listening for messages on {sub_path}')

    # Keep main thread from exiting while waiting for messages
    while True:
        time.sleep(60)

if __name__ == '__main__':

    logging.basicConfig(
        level=logging.INFO,
        style='{',
        format='{levelname:.1}{asctime} {filename}:{lineno}] {message}')

    receive_messages()

Stack trace

I2020-11-17 21:56:23,136 subscriber-sample.py:27] Subscriber Started
I2020-11-17 21:56:23,142 subscriber-sample.py:44] Listening for messages on projects/xxx/xxx
E1117 21:56:24.377381000 123145466556416 ssl_transport_security.cc:1439] Handshake failed with fatal error SSL_ERROR_SSL: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE.
I2020-11-17 21:56:24,377 streaming_pull_manager.py:696] Observed non-terminating stream error 503 failed to connect to all addresses
I2020-11-17 21:56:24,378 streaming_pull_manager.py:674] Observed recoverable stream error 503 failed to connect to all addresses
I2020-11-17 21:56:24,379 bidi.py:487] Re-established stream
I2020-11-17 21:56:24,379 streaming_pull_manager.py:696] Observed non-terminating stream error 503 failed to connect to all addresses
I2020-11-17 21:56:24,379 streaming_pull_manager.py:674] Observed recoverable stream error 503 failed to connect to all addresses

Note:

• I have tried setting up CERTIFICATE path as well but did not work.
• If I run the whole code outside proxies, it works fine.

[RajatDevSharma]

Any help on this guys !

[pradn]

Hey Rajat, this seems like a GRPC problem, perhaps related to this issue. It may be that there's an issue with the SSL cert itself, or with GRPC's handling of the connection. Please post an issue in the GRPC repository so the experts there can help you.

[pradn]

Please re-open if you have further questions.