grpc C++: default Ssl ChannelCredentials client side calls fail - c++

Using the grpc version 1.38.0, compiled on CentOS 7 from sources with gcc version 9.4.0 and cmake version 3.19.6 (with all the cmake dependencies set to "module"), the following code taken from the grpc documentation site:
auto channel_creds = grpc::SslCredentials(grpc::SslCredentialsOptions());
auto channel = grpc::CreateChannel(server_name, channel_creds);
compiles, links, runs, does not coredump but the respective grpc calls executed against that channel all fail with the following error message:
E0816 17:49:03.236686130 14443 ssl_transport_security.cc:1468] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
Since the referenced above google's documentation sample that implements
the simplest authentication scenario, where a client just wants to authenticate the server and encrypt all data
is taken to be complete, the respective grpc c++ server was bound to a needed port via the grpc::InsecureServerCredentials() option.
Clearly, either the sample code is not complete or some other instructions on how to implement "the simplest authentication scenario, where a client just wants to authenticate the server and encrypt all data" are missing.
Question: could someone please provide a complete c++ code that must be written on both the grpc c++ client side and the grpc c++ server side so that the much advertised "simplest authentication scenario, where a client just wants to authenticate the server and encrypt all data" actually works and the encrypted bytes do flow over the wire from a grpc c++ client to its grpc c++ server and the said grpc c++ server decrypts these bytes and passes them onto the underlying application? Along with any other non code instructions if those are needed.
Changing the code on the grpc c++ server side to use the grpc::SslServerCredentials( grpc::SslServerCredentialsOptions() ) leads to a code that compiles, links, runs but quickly dumps core with the following error message:
E0816 19:24:26.270527688 15081 ssl_security_connector.cc:268] Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E0816 19:24:26.270775700 15081 server_secure_chttp2.cc:124] {"created":"#1629141866.270756657","description":"Unable to create secure server with credentials of type Ssl","file":"/opt/grpc_source/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc","file_line":104}
Segmentation fault
Running both the grpc c++ client and the grpc c++ server (on two different CentOS 7 boxes) in the "clear text" or "non secure" mode works perfectly fine - the said client happily packages its data into the protobuf message, executes the grpc call, the grpc c++ server receives the message and all is good.
Does anyone have any idea about what has to be done on the grpc c++ server side, I suspect, so that the functionality advertised on the grpc documentation site actually works - I am not looking to mess about with the custom certificate files, if it can be helped at all.
Using the default and built-in Ssl/Tls mechanism of the native grpc libraries is perfectly fine. In other words, some minimal viable grpc security is sufficient.
Thank you for any constructive insight.

Related

boost.asio + native windows sockets

We have a framework that communicates via native WinAPI sockets (WSASend , CompletionPorts, etc) via TCP.
Recently, we've added some classes to this framework that also async sends and receives some messages via UDP, but these classes use Boost.ASIO (io_context etc).
Since then, we noticed that WinSocks connect function fails, with the following error:
A connection attempt failed because the connected party did not
properly respond after a period of time, or established connection
failed because connected host has failed to respond. The thread 0x3038
has exited with code 0 (0x0)
This only fails when connecting to a remote computer, not locally.
When reverting to an older version without these Boost classes, everything works fine (ruling out firewall issues)
When the Boost.ASIO classes our used outside of the framework, they work fine.
We are unsure what causes this issue. My hunch is that it is a conflict on OS level between winsock and boost.ASIO.
Did anyone run into something similar? Any ideas or pointers would be really appreciated.
Ben

Is there a way to get a thread dump of a GRPC server

I'm having a GRPC service written in Go that wraps a C++ library.
Now, once in a while, the server hangs on a grpcurl based client call, while it succeeds at other times in sending out a response.
I have tried exporting the grpc traces variable and setting the verbosity to DEBUG, but they didn't seem to help.

gRPC client keeps crashing when reading server stream

I am following the ListFeatures() example in this tutorial: https://github.com/grpc/grpc/blob/v1.31.0/examples/cpp/route_guide/route_guide_client.cc
My server is in Java and my client application is in c++.
I have both the server and the client running locally. What I am observing is that my application crashes when I try to read the stream response via `reader->Read(&feature). I can verify that the server receives the api call and is sending responses back. I am also able to successfully hit the server from bloomRPC.
Any ideas why I can't receive responses in my c++ client application?
Much appreciated!
I had this problem when the context used to create the ClientReader fell out of scope. The context needs to be persistent while the ClientReader is in use.

Looking for poco ssl websocket client example in C++ for Windows 7

I've been looking through the poco samples and documentation, but I couldn't find out how to use poco's websockets and SSL combined. I successfully connected a non-SSL websocket (based on the WebSocket class) to a server (the echoserver sample from Qt5.4, running on Ubuntu), but how to add SSL to the client eludes me. Poco's NetSSL_OpenSSL samples aren't all that helpful, because I don't need to know how to download, tweet, mail or write a time server. Also the latter is the only one that uses "SecureStreamSocket" objects at all (which is probably the class I need). But that sample just accesses the socket from the request object, it doesn't show how to create and configure one properly.
I just want an SSL websocket client to send and receive some simple messages, like "Hello World". Can anyone help me please?
I use Windows 7 64 Bit for the client's OS and Ubuntu 64 Bit on VirtualBox for the server's OS, but the server side is no problem. My poco version is 1.6.0 and I compiled it with Visual Studio 2013 Express. Also I use OpenSSL 1.0.1j.
Cheers
Alex
Look at WebSocket testcase. Use HTTPSClientSession (instead of HTTPClientSession).

SOAP Request fails randomly on one Server but works on an other on iOS7

I have an iPhone App that gets the data by SOAP requests.
The SOAP calls are done by sudzc.com library.
I have to make SOAP Request to two servers.
Server A: is my own server, where I retrieve some informations, SOAP Response written by myself
Server B: a third party server that gives me some necessary informations
iOS 6
The app is working 100% correct.
iOS 7
Server A: working perfectly
Server B: SOAP Requests randomly fails. I am getting the following
error message sometimes:
< SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
< SOAP-ENV:Header/>
< SOAP-ENV:Body>
< SOAP-ENV:Fault>
< faultcode>SOAP-ENV:Server
< faultstring xml:lang="en">Could not access envelope: Unable to create envelope from given source: ; nested exception is com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Unable to create envelope from given source: : Unable to create envelope from given source: : org.xml.sax.SAXParseException: The markup in the document preceding the root element must be well-formed.: The markup in the document preceding the root element must be well-formed.
< /faultstring>
< detail/>
< /SOAP-ENV:Fault>
< /SOAP-ENV:Body>
< /SOAP-ENV:Envelope>
Anyone has an idea, why this only happens on iOS7 and how I could get rid of it?
UPDATE:
May it be related to the fact, that one server is running on https and the other runs on http?
Server A: http://www.xxx.xy
Server B: https://www.xxx.xy:443
I have written a support request to the iOS Team. here is what they replied... in Fact it has something to do with the htpps... Just in case someone runs into the same error, here might be the reason why:
I'm responding to your question as to why your SOAP requests are failing on iOS 7, but only when targeting one of your two servers. You wrote:
May it be related to the fact, that one server is running on https and
the other runs on http?
It turns out that your theory is correct. The problem here is that iOS 7 includes the recommended countermeasure for the BEAST attack.
http://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack
http://www.educatedguesswork.org/2011/11/rizzoduong_beast_countermeasur.html
https://www.imperialviolet.org/2012/01/15/beastfollowup.html
iOS applies this countermeasure when it talks to a TLS 1.0 or earlier server (TLS 1.1 and later include their own fix for this attack) that negotiates the use a block cypher (stream cyphers are not vulnerable to this attack).
Looking at a packet trace of the test app you sent me, I can see that it opens a TLS 1.2 connection to www.xxxx.xy:443. That server downgrades the connection to TLS 1.0 and then negotiates to use the AES-128 block cypher (SSL_RSA_WITH_AES_128_CBC_SHA). After that I can see the unmistakable signs of this countermeasure kicking in.
I confirmed my analysis by running your test app on the simulator (which accurately reproduces the problem) and then, using the debugger, setting the internal state of Secure Transport (the subsystem that implements TLS on iOS) to disable this countermeasure entirely. On doing that I found that the first tab in your app works fine.
A well-known side effect of this countermeasure is that it causes problem for poorly written HTTPS servers. That's because it breaks up the HTTP request (the one running over the TLS connection) into chunks, and the server must be coded to correctly receive these chunks and join them into a single HTTP request. Some servers don't do that properly, which results in a variety of interesting failures.
The best way to solve this problem is to fix the server. The server should be able to cope with receiving the HTTP message in chunks, detecting HTTP message boundaries in the manner prescribed by RFC 2616.
http://www.ietf.org/rfc/rfc2616.txt
If that fix is too hard to implement in the short term, you can work around the problem by simply upgrading your server to support TLS 1.2. This is a good idea anyway.
Another workaround, one that's a less good idea, is to tweak the server configuration to negotiate the use of a stream cypher.
If you don't control the server, I strongly encourage you to lobby the server operators for a server-side fix for this problem. iOS 7 is not the only client that's implementing this workaround; you'll find it in recent versions of both Chrome, Firefox and so on.
If a server-side fix is just not possible, your options on the client side are less than ideal:
o You could replace HTTPS with HTTP. Obviously this is not a good thing, and it also requires that the server support HTTP. Also, HTTP comes with its own array of un-fun problems (various middleboxes, especially those run by cellular carriers, like to monkey with HTTP messages).
o At the lowest level, you can disable this countermeasure for a given a Secure Transport context by way of the kSSLSessionOptionSendOneByteRecord flag (see ). This flag is not directly available to higher-level software, although it is possible to use it at the CFSocketStream layer (because that API gives you a way to get at the Secure Transport context it's using).
IMPORTANT: The high-level APIs, NSURLSession and NSURLConnection, don't give you access to the Secure Transport context, nor do they provide any control over this aspect of TLS. Thus, there's no way to disable this countermeasure and continue working with those nice, high-level APIs.
o You could implement your own HTTP layer on top of our TLS infrastructure (ideally CFSocketStream). Alas, this is a whole world of pain: HTTP is a lot more complex than you might think.
I'm sorry I don't have better news.