OPENSSL_internal:BAD_DECRYPT error

[kboyapa1]

We build the gnmi GO client (gnmi_cli) using go1.10.4.linux-amd64.tar.gz.

When we use this gnmi_cli from x86_64 architecture to connect to gNMI Server running on a ppc64 machine using openssl certificates, we are seeing following error. When the same certificates are working fine when gNMI server is running on x86_64 or armv7l machine. There is not much info on BAD_DECRYPT error. Can we use gnmi_cli build using one architecture on another architecture server? What could be the reason for BAD_DECRYPT error when the same certificates are working on different architecture?

E0901 13:59:46.484633290 25656 ssl_transport_security.cc:976] Handshake failed with fatal error SSL_ERROR_SSL: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT.

$ openssl version OpenSSL 1.1.0e 16 Feb 201 $ $ uname -a Linux fujitsu 3.12.19-rt30-4.0_2+g6619b8b #1 SMP Fri Aug 31 14:09:57 CDT 2018 ppc64 GNU/Linux $

Certificate Generation commands:

client_openssl.txt

openssl genrsa -passout pass:1234 -des3 -out googleca.key 4096 openssl req -passin pass:1234 -new -x509 -days 365 -key googleca.key -out googleca.crt -subj "/C=SP/ST=Spain/L=Valdepenias/O=Test/OU=Test/CN=Root CA"

openssl genrsa -passout pass:1234 -des3 -out client.key 4096 openssl req -passin pass:1234 -new -key client.key -out client.csr -subj "/C=SP/ST=Spain/L=Valdepenias/O=Test/OU=Client/CN=gNMIClientKoti" openssl x509 -passin pass:1234 -req -days 365 -in client.csr -extfile ./client_openssl.cnf -extensions v3_ca -CA googleca.crt -CAkey googleca.key -set_serial 01 -out client.crt openssl rsa -passin pass:1234 -in client.key -out client.key

openssl x509 -in googleca.crt -text >> roots.pem

openssl genrsa -passout pass:1234 -des3 -out fujitsuca.key 4096 openssl req -passin pass:1234 -new -x509 -days 365 -key fujitsuca.key -out fujitsuca.crt -subj "/C=SP/ST=Spain/L=Valdepenias/O=Test/OU=Test/CN=Root CA" openssl genrsa -passout pass:1234 -des3 -out server.key 4096 openssl req -passin pass:1234 -new -key server.key -out server.csr -subj "/C=SP/ST=Spain/L=Valdepenias/O=Test/OU=Server/CN=gNMIServerKoti" openssl x509 -req -passin pass:1234 -days 365 -in server.csr -extfile ./client_openssl.cnf -extensions v3_ca -CA fujitsuca.crt -CAkey fujitsuca.key -set_serial 01 -out server.crt

touch ca-bundle.crt chmod 777 ca-bundle.crt openssl x509 -in fujitsuca.crt -text >> ca-bundle.crt openssl rsa -passin pass:1234 -in server.key -out server.key cat server.key server.crt > server.pem

[kboyapa1]

The issue is with the gRPC inbuilt boringssl. Boringssl is not supporting bigendain architectures. We have upgraded the python_grpcio_1.14.1 which is allowed to use openssl instead of boringssl. After switching to openssl, the issue is resolved.