gRPC interop: TLS problems #896

stevej · 2017-01-05T23:11:11Z

While trying to use linkerd as proxy for the grpc-java interop tests, I'm running into a TLS handshake error

linkerd logs:

I 0105 22:40:04.898 THREAD1: Tracer: com.twitter.finagle.zipkin.thrift.ScribeZipkinTracer
I 0105 22:40:05.058 THREAD1: serving http admin on /0.0.0.0:9990
I 0105 22:40:05.073 THREAD1: serving grpc on /0.0.0.0:4141
I 0105 22:40:05.256 THREAD1: initialized
WARN 0105 22:40:32.803 finagle/netty4-1: [id: 0xa74dc465, L:/10.240.0.10:4141 - R:/10.240.0.4:34934] Failed to select the application-level protocol:
java.io.IOException: Connection reset by peer
        at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
        at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
        at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
        at sun.nio.ch.IOUtil.read(IOUtil.java:192)
        at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
        at io.netty.buffer.UnpooledUnsafeDirectByteBuf.setBytes(UnpooledUnsafeDirectByteBuf.java:423)
        at io.netty.buffer.AbstractByteBuf.writeBytes(AbstractByteBuf.java:1100)
        at io.netty.channel.socket.nio.NioSocketChannel.doReadBytes(NioSocketChannel.java:343)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:118)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:571)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:512)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:426)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:398)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:877)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at com.twitter.finagle.util.ProxyThreadFactory$$anonfun$newProxiedRunnable$1$$anon$1.run(ProxyThreadFactory.scala:19)
        at java.lang.Thread.run(Thread.java:745)
WARN 0105 22:40:32.809 finagle/netty4-1: [id: 0xa74dc465, L:/10.240.0.10:4141 ! R:/10.240.0.4:34934] TLS handshake failed:
java.nio.channels.ClosedChannelException
        at io.netty.handler.ssl.SslHandler.channelInactive(...)(Unknown Source)
E 0105 22:40:32.812 THREAD25: [S L:/10.240.0.10:4141 R:/10.240.0.4:34934] dispatcher failed
com.twitter.finagle.ChannelClosedException: ChannelException at remote address: /10.240.0.4:34934. Remote Info: Not Available

client logs

stevej@netty-test-8:~/grpc-interop-testing-1.1.0-SNAPSHOT$ ./bin/test-client --server_host=foo.test.google.au
 --server_port=4141 --use_tls=true --test_case=empty_unary --server_host_override=foo.test.google.au --use_te
st_ca=true
Jan 05, 2017 10:40:31 PM io.grpc.internal.ManagedChannelImpl <init>
INFO: [io.grpc.internal.ManagedChannelImpl-1] Created with target directaddress:https:///foo.test.google.au/10.240.
0.10:4141
Running test empty_unary
Jan 05, 2017 10:40:32 PM io.grpc.internal.ManagedChannelImpl maybeTerminateChannel
INFO: [io.grpc.internal.ManagedChannelImpl-1] Terminated
Exception in thread "main" io.grpc.StatusRuntimeException: UNAVAILABLE
        at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:230)
        at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:211)
        at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:144)
        at io.grpc.testing.integration.TestServiceGrpc$TestServiceBlockingStub.emptyCall(TestServiceGrpc.java
:398)
        at io.grpc.testing.integration.AbstractInteropTest.emptyUnary(AbstractInteropTest.java:210)
        at io.grpc.testing.integration.TestServiceClient.runTest(TestServiceClient.java:212)
        at io.grpc.testing.integration.TestServiceClient.run(TestServiceClient.java:200)
        at io.grpc.testing.integration.TestServiceClient.main(TestServiceClient.java:84)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
        at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceC$untedOpenSslContext.java:604)
        at org.apache.tomcat.jni.SSL.readFromSSL(Native Method)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngin$.java:457)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:824)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:931)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:974)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1097)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:968)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.ja$a:373)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.ja$a:359)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java$351)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.ja$a:373)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.ja$a:359)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:574)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:488)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873)
        at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.j$va:144)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: No data available in passed $ER encoded value.
        at sun.security.x509.X509CertImpl.getSubjectAlternativeNames(X509CertImpl.java:1684)
        at java.security.cert.X509Certificate.getSubjectAlternativeNames(X509Certificate.java:605)
        at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:189)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
        at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verif
y(ReferenceCountedOpenSslClientContext.java:223)
        at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCo
untedOpenSslContext.java:600)
        ... 25 more
Caused by: java.io.IOException: No data available in passed DER encoded value.
        at sun.security.x509.GeneralNames.<init>(GeneralNames.java:61)
        at sun.security.x509.SubjectAlternativeNameExtension.<init>(SubjectAlternativeNameExtension.java:141)
        at sun.security.x509.X509CertImpl.getSubjectAlternativeNames(X509CertImpl.java:1670)
        ... 34 more
Shutting down
stevej@netty-test-8:~/grpc-interop-testing-1.1.0-SNAPSHOT$

The text was updated successfully, but these errors were encountered:

Problem Finagle doesn't expose any way for clients to configure ALPN protocol negotiation. This breaks HTTP/2 clients. Solution Expose a new stack param, Netty4ClientTls.ApplicationProtocols. This parameter is used by the Netty4ClientTls channel handler, which is responsible for replacing the "ssl" and "sslConnect" channel handlers installed by com.twitter.finagle.netty4.ssl.Netty4SslHandler. We'll need to find a better long-term solution in Finagle. Fixes #760 Maybe #896 too

olix0r · 2017-02-07T22:51:12Z

Caused by: java.io.IOException: No data available in passed DER encoded value.
        at sun.security.x509.GeneralNames.<init>(GeneralNames.java:61)
        at sun.security.x509.SubjectAlternativeNameExtension.<init>(SubjectAlternativeNameExtension.java:141)
        at sun.security.x509.X509CertImpl.getSubjectAlternativeNames(X509CertImpl.java:1670)
        ... 34 more

This looks like a problem with your certs.

olix0r added the gRPC label Jan 6, 2017

olix0r mentioned this issue Jan 11, 2017

[h2] Configure client-side protocol upgrade via TLS #917

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gRPC interop: TLS problems #896

gRPC interop: TLS problems #896

stevej commented Jan 5, 2017

olix0r commented Feb 7, 2017

gRPC interop: TLS problems #896

gRPC interop: TLS problems #896

Comments

stevej commented Jan 5, 2017

olix0r commented Feb 7, 2017