我正在尝试使用gRPC与TLS证书建立加密连接。由于连接不安全,所以一切正常,我也尝试使用在Go上编写的客户端,它也能正常工作。但是,使用Python时,我得到以下错误:
grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "failed to connect to all addresses"
debug_error_string = "{"created":"@1565190346.229323178","description":"Failed to pick subchannel","file":"src/core/ext/filters/client_channel/client_channel.cc","file_line":3528,"referenced_errors":
[{"created":"@1565190346.229314131","description":"failed to connect to all addresses","file":"src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc","file_line":399,"grpc_status":14}]}"
这是我客户的代码:
credentials = grpc.ssl_channel_credentials()
channel = grpc.secure_channel('127.0.0.1:9332', credentials)
stub = srv_pb2_grpc.SrvStub(channel)
response = stub.Action(msg='msg')
有什么建议吗?
更新
以下是带有GRPC_TRACE和GRPC_VERBOSITY环境变量的输出。
os.environ['GRPC_TRACE'] = 'transport_security,tsi'
os.environ['GRPC_VERBOSITY'] = 'DEBUG'
I0808 11:24:21.077552208 28357 ev_epoll1_linux.cc:116] grpc epoll fd: 3
D0808 11:24:21.077580061 28357 ev_posix.cc:174] Using polling engine: epoll1
D0808 11:24:21.077622131 28357 dns_resolver_ares.cc:483] Using ares dns resolver
E0808 11:24:21.077633004 28357 trace.cc:65] Unknown trace var: 'transport_security'
I0808 11:24:21.402168083 28357 ssl_transport_security.cc:217] HANDSHAKE START - TLS client start_connect - !!!!!!
I0808 11:24:21.402353776 28357 ssl_transport_security.cc:217] LOOP - TLS client enter_early_data - !!!!!!
I0808 11:24:21.402387194 28357 ssl_transport_security.cc:217] LOOP - TLS client read_server_hello - !!!!!!
I0808 11:24:21.606877030 28357 ssl_transport_security.cc:217] LOOP - TLS client read_server_certifi - !!!!!!
I0808 11:24:21.607580283 28357 ssl_transport_security.cc:217] LOOP - TLS client read_certificate_st - !!!!!!
I0808 11:24:21.607612862 28357 ssl_transport_security.cc:217] LOOP - TLS client verify_server_certi - !!!!!!
I0808 11:24:21.613300944 28357 ssl_transport_security.cc:217] LOOP - TLS client read_server_key_exc - !!!!!!
I0808 11:24:21.614718867 28357 ssl_transport_security.cc:217] LOOP - TLS client read_certificate_re - !!!!!!
I0808 11:24:21.614762602 28357 ssl_transport_security.cc:217] LOOP - TLS client read_server_hello_d - !!!!!!
I0808 11:24:21.614782664 28357 ssl_transport_security.cc:217] LOOP - TLS client send_client_certifi - !!!!!!
I0808 11:24:21.614798210 28357 ssl_transport_security.cc:217] LOOP - TLS client send_client_key_exc - !!!!!!
I0808 11:24:21.616791101 28357 ssl_transport_security.cc:217] LOOP - TLS client send_client_certifi - !!!!!!
I0808 11:24:21.616817014 28357 ssl_transport_security.cc:217] LOOP - TLS client send_client_finishe - !!!!!!
I0808 11:24:21.616891441 28357 ssl_transport_security.cc:217] LOOP - TLS client finish_flight - !!!!!!
I0808 11:24:21.616916680 28357 ssl_transport_security.cc:217] LOOP - TLS client read_session_ticket - !!!!!!
I0808 11:24:21.811575115 28357 ssl_transport_security.cc:217] LOOP - TLS client process_change_ciph - !!!!!!
I0808 11:24:21.811645429 28357 ssl_transport_security.cc:217] LOOP - TLS client read_server_finishe - !!!!!!
I0808 11:24:21.811706483 28357 ssl_transport_security.cc:217] LOOP - TLS client finish_client_hands - !!!!!!
I0808 11:24:21.811745454 28357 ssl_transport_security.cc:217] LOOP - TLS client done - !!!!!!
I0808 11:24:21.811763000 28357 ssl_transport_security.cc:217] HANDSHAKE DONE - TLS client done - !!!!!!
D0808 11:24:21.811984315 28357 security_handshaker.cc:176] Security handshake failed: {"created":"@1565252661.811954686","description":"Cannot check peer: missing selected ALPN property.","file":"src/core/lib/security/security_connector/ssl_utils.cc","file_line":129}
I0808 11:24:21.812313765 28357 subchannel.cc:1031] Connect failed: {"created":"@1565252661.811954686","description":"Cannot check peer: missing selected ALPN property.","file":"src/core/lib/security/security_connector/ssl_utils.cc","file_line":129}
答案 0 :(得分:0)
PIP grpcio软件包的最新版本(1.23.0)使用不正确支持ALPN的较旧版本的OpenSSL进行编译,并且GRPC要求ALPN作为规范的一部分。
如果您通过pip install grpcio〜= 1.19.0安装了它,它将因其他错误而起作用-此版本的grpcio完全不需要ALPN。
ALPN仅是性能改进,因此禁用它不会带来安全风险。
答案 1 :(得分:0)
如果您可以控制服务器,则应考虑启用ALPN。我正在配置特使代理,并且遇到相同的错误。按照此评论的说明为我修复它: https://github.com/envoyproxy/envoy/issues/4291#issuecomment-417292285