python - gRPC 客户端无法使用 TLS 证书连接到服务器

Question

我正在尝试使用 gRPC 与 TLS 证书建立加密连接。通过不安全的连接，一切正常，我也尝试使用在 Go 上编写的客户端，它也可以。但是使用 Python 我收到以下错误:

grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with:
        status = StatusCode.UNAVAILABLE
        details = "failed to connect to all addresses"
        debug_error_string = "{"created":"@1565190346.229323178","description":"Failed to pick subchannel","file":"src/core/ext/filters/client_channel/client_channel.cc","file_line":3528,"referenced_errors":
[{"created":"@1565190346.229314131","description":"failed to connect to all addresses","file":"src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc","file_line":399,"grpc_status":14}]}"

这是我客户的代码:

credentials = grpc.ssl_channel_credentials()
channel = grpc.secure_channel('127.0.0.1:9332', credentials)
stub = srv_pb2_grpc.SrvStub(channel)
response = stub.Action(msg='msg')

有什么建议吗？

更新

这是带有 GRPC_TRACE 和 GRPC_VERBOSITY 环境变量的输出。

os.environ['GRPC_TRACE'] = 'transport_security,tsi'
os.environ['GRPC_VERBOSITY'] = 'DEBUG'

I0808 11:24:21.077552208   28357 ev_epoll1_linux.cc:116]     grpc epoll fd: 3                                                                                                                                        
D0808 11:24:21.077580061   28357 ev_posix.cc:174]            Using polling engine: epoll1                                                                                                                            
D0808 11:24:21.077622131   28357 dns_resolver_ares.cc:483]   Using ares dns resolver                                                                                                                                 
E0808 11:24:21.077633004   28357 trace.cc:65]                Unknown trace var: 'transport_security'                                                                                                                 
I0808 11:24:21.402168083   28357 ssl_transport_security.cc:217]      HANDSHAKE START -       TLS client start_connect  - !!!!!!                                                                                      
I0808 11:24:21.402353776   28357 ssl_transport_security.cc:217]                 LOOP -    TLS client enter_early_data  - !!!!!!                                                                                      
I0808 11:24:21.402387194   28357 ssl_transport_security.cc:217]                 LOOP -   TLS client read_server_hello  - !!!!!!                                                                                      
I0808 11:24:21.606877030   28357 ssl_transport_security.cc:217]                 LOOP - TLS client read_server_certifi  - !!!!!!                                                                                      
I0808 11:24:21.607580283   28357 ssl_transport_security.cc:217]                 LOOP - TLS client read_certificate_st  - !!!!!!                                                                                      
I0808 11:24:21.607612862   28357 ssl_transport_security.cc:217]                 LOOP - TLS client verify_server_certi  - !!!!!!                                                                                      
I0808 11:24:21.613300944   28357 ssl_transport_security.cc:217]                 LOOP - TLS client read_server_key_exc  - !!!!!!                                                                                      
I0808 11:24:21.614718867   28357 ssl_transport_security.cc:217]                 LOOP - TLS client read_certificate_re  - !!!!!!                                                                                      
I0808 11:24:21.614762602   28357 ssl_transport_security.cc:217]                 LOOP - TLS client read_server_hello_d  - !!!!!!                                                                                      
I0808 11:24:21.614782664   28357 ssl_transport_security.cc:217]                 LOOP - TLS client send_client_certifi  - !!!!!!                                                                                      
I0808 11:24:21.614798210   28357 ssl_transport_security.cc:217]                 LOOP - TLS client send_client_key_exc  - !!!!!!
I0808 11:24:21.616791101   28357 ssl_transport_security.cc:217]                 LOOP - TLS client send_client_certifi  - !!!!!!
I0808 11:24:21.616817014   28357 ssl_transport_security.cc:217]                 LOOP - TLS client send_client_finishe  - !!!!!!
I0808 11:24:21.616891441   28357 ssl_transport_security.cc:217]                 LOOP -       TLS client finish_flight  - !!!!!!
I0808 11:24:21.616916680   28357 ssl_transport_security.cc:217]                 LOOP - TLS client read_session_ticket  - !!!!!!
I0808 11:24:21.811575115   28357 ssl_transport_security.cc:217]                 LOOP - TLS client process_change_ciph  - !!!!!!
I0808 11:24:21.811645429   28357 ssl_transport_security.cc:217]                 LOOP - TLS client read_server_finishe  - !!!!!!
I0808 11:24:21.811706483   28357 ssl_transport_security.cc:217]                 LOOP - TLS client finish_client_hands  - !!!!!!
I0808 11:24:21.811745454   28357 ssl_transport_security.cc:217]                 LOOP -                TLS client done  - !!!!!!
I0808 11:24:21.811763000   28357 ssl_transport_security.cc:217]       HANDSHAKE DONE -                TLS client done  - !!!!!!
D0808 11:24:21.811984315   28357 security_handshaker.cc:176] Security handshake failed: {"created":"@1565252661.811954686","description":"Cannot check peer: missing selected ALPN property.","file":"src/core/lib/security/security_connector/ssl_utils.cc","file_line":129}
I0808 11:24:21.812313765   28357 subchannel.cc:1031]         Connect failed: {"created":"@1565252661.811954686","description":"Cannot check peer: missing selected ALPN property.","file":"src/core/lib/security/security_connector/ssl_utils.cc","file_line":129}

Answer 1

最新版本的 PIP grpcio 包 (1.23.0) 是用旧版本的 OpenSSL 编译的，它不能正确支持 ALPN，并且 GRPC 需要 ALPN 作为规范的一部分。

如果你 pip install grpcio~=1.19.0 它会工作，因为一个不同的错误——这个版本的 grpcio 根本不需要 ALPN。

ALPN 只是一种性能改进，因此禁用它不会带来安全风险。