Dealing with TLS on gRPC

grpc tls golang
grpc authentication c#
grpcchannelcredentials
grpc secure channel python
grpc authentication python
grpc::sslcredentials
grpc-web authentication
grpc tls c++

I am connecting to a server which has TLS support with SSL certs. I am getting a SSL Handshake error on Android app client. I also use useTransportSecurity() to deal with TLS negotiation type. Is there any workaround to get away with this error without certificate pinning?

Error encountered:

Caused by: java.lang.RuntimeException: protocol negotiation failed

    at io.grpc.okhttp.OkHttpProtocolNegotiator.negotiate(OkHttpProtocolNegotiator.java:96)

    at io.grpc.okhttp.OkHttpProtocolNegotiator$AndroidNegotiator.negotiate(OkHttpProtocolNegotiator.java:147)

    at io.grpc.okhttp.OkHttpTlsUpgrader.upgrade(OkHttpTlsUpgrader.java:63)

    at io.grpc.okhttp.OkHttpClientTransport$2.run(OkHttpClientTransport.java:474)

    at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162) 

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636) 

    at java.lang.Thread.run(Thread.java:764) 

And this is how I generate my channel :

ManagedChannel mChannel = OkHttpChannelBuilder.forAddress(host, port)
        .useTransportSecurity()
        .build();

Appreciate your time and help.

ALPN is failing during the TLS handshake, which prevents gRPC from negotiating HTTP/2. Either you aren't connecting to a gRPC / HTTP/2 server or your client's TLS library is too old.

Please review the SECURITY.md documentation. Namely, you probably want to "install" the Play Services Dynamic Security Provider into the runtime when your app starts.

Practical guide to securing gRPC connections with Go and TLS, Practical guide to securing gRPC connections with Go and TLS — Part 1 The TLS Handshake Protocol, allows the server and client to authenticate Flutter: Handling your network API calls like a legend using Provider. The simplest method to encrypt communication using gRPC is to use server-side TLS. This means that the server needs to be initialized with a public/private key pair and the client needs to have the server’s public key in order to make the connection.

it might be rather a matter how you create the server; see SECURITY.md for Mutual TLS ...

Server server = NettyServerBuilder.forPort(8443)
    .sslContext(GrpcSslContexts.forServer(certChainFile, privateKeyFile)
    .trustManager(clientCAsFile)
    .clientAuth(ClientAuth.REQUIRE)
    .build());

Dealing with TLS on gRPC, ALPN is failing during the TLS handshake, which prevents gRPC from negotiating HTTP/2. Either you aren't connecting to a gRPC / HTTP/2  Overview . gRPC is designed to work with a variety of authentication mechanisms, making it easy to safely use gRPC to talk to other systems. You can use our supported mechanisms - SSL/TLS with or without Google token-based authentication - or you can plug in your own authentication system by extending our provided code.

Answering my own question.

This error comes from the ALPN TLS extension, which I needed my SSL endpoint to support. I was using NPN, and that is why I was unable to connect.

Posted by Carl Mastrangelo in grpc.io google groups

Secure gRPC with TLS/SSL · Libelli, The app avoids dealing with openssl (and therefore raises questions about security in implementation), but has a very simple workflow: create a  gRPC is an Open Source piece of technology that comes out from the Google factory. It enables a user to use a .proto specification file to generate basic client and server stubs in as many as nine languages. gRPC works strictly with HTTP2 alone and also comes with inbuilt TLS capabilities. gRPC also says that it does not transfer credentials without encryption over the wire.

Dealing with TLS on gRPC, I am connecting to a server which has TLS support with SSL certs. I am getting a SSL Handshake error on Android app client. I also use useTransportSecurity()  Hello World Example with TLS. The example require grpc-java to already be built. You are strongly encouraged to check out a git release tag, since there will already be a build of grpc available.

Securing gRPC connections with TLS/SSL and Ambassador, gRPC is a high performance, polyglot RPC framework that has been growing in popularity, particular with microservice architectures. gRPC  The TLS certificate used for the gRPC client should always be the one that the terminating endpoint expects to see. Since that's Apache in your case, you need to make sure Apache and the gRPC client are paired -- how to do that in Apache and what options you have is where my knowledge ends.

Mutual TLS over gRPC with Elixir - Kevin Hoffman, The biggest key to success with mutual TLS is in figuring out how to deal with your certificates. Certificates are the bane of many people's existence and they  This problem is solved by adding three new options: GRPC_BIND, GRPC_TLS_CERT and GRPC_TLS_KEY. When GRPC_BIND is set, the gRPC service will bind to this ip:port instead of HTTP_BIND which makes it possible to leave HTTP_TLS_CERT and HTTP_TLS_KEY unset. GRPC_TLS_CERT and GRPC_TLS_KEY are optional and will only be used if GRPC_BIND is set.

Comments
  • The endpoint needed an ALPN TLS support and that worked like a charm. However, I would still wonder why Android needs to install Dynamic Security Provider. I tried in some of the new and old Android devices I have and I don't seem to stumble upon any issue
  • From SECURITY.md: "Although ALPN mostly works on newer Android releases (especially since 5.0), there are bugs and discovered security vulnerabilities that are only fixed by upgrading the security provider." Some of the bugs are races with library calls done in other parts of the application (like if you use NPN elsewhere in your application). Those sorts of things will trigger "randomly." Also, older devices may be using NPN instead of ALPN. That may work today, but requires NPN on the server. But NPN support is disappearing in the ecosystem.