How to open a secure channel in python gRPC client without a client SSL certificate

Question

I have a grpc server (in Go) that has a valid TLS certificate and does not require client side TLS. For some reason I can not implement the client without mTLS in Python, even though I can do so in Golang.

In Python I have

os.environ["GRPC_VERBOSITY"] = "DEBUG"
# os.environ["GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"] = "/etc/ssl/certs/ca-bundle.crt"

channel = grpc.secure_channel(ORBIUM_ADDR, grpc.ssl_channel_credentials())
grpc.channel_ready_future(channel).result(timeout=10)

This gives me the following error

D0513 08:02:08.147319164   21092 security_handshaker.cc:181] Security handshake failed: {"created":"@1652446928.147311309","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":377,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}

I can get this to work if I use SSL certificates by uncommenting the commented out line. I know for a fact that my server does not request, require or verify client certificates as The following Go code work perfectly

conn, err := grpc.DialContext(
    ctx,
    gRPCAddr,
    grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
)
dummyClient := dummy.NewDummyServiceClient(conn)
if _, err := dummyClient.Ping(context.Background(), &dummy.PingRequest{
    Ping: "go client ping",
}); err != nil {
    return fmt.Errorf("failed to ping: %w", err)
}

Answer 1

If the certificate on the server-side is publicly signed, you can use:

grpc.secure_channel(ORBIUM_ADDR, grpc.ssl_channel_credentials())

But that doesn't seem to work for you, so I guess the server certificate is signed by a root cert owned by you. You can pass in the root cert into the root_certificates field [1], and leave the other two fields empty. This use case is documented in our Authentication guide [2].

with open(os.environ["GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"], 'rb') as f:
    creds = grpc.ssl_channel_credentials(f.read())

channel = grpc.secure_channel(ORBIUM_ADDR, creds)

[1] https://grpc.github.io/grpc/python/grpc.html#grpc.ssl_channel_credentials

[2] https://grpc.io/docs/guides/auth/

Answer 2

My guess based on Python GRPC doc https://grpc.github.io/grpc/python/grpc.html

channel = grpc.insecure_channel(ORBIUM_ADDR)

instead of:

channel = grpc.secure_channel(ORBIUM_ADDR, grpc.ssl_channel_credentials())

Answer 3

You need to export this code logic, and import it in the files that you need it in.

Let's put all your code in a file called a.js.

Your file becomes

export default a = (function () {
  "use strict";

...

let's create a file called b.js on the same level as a.js And later you import it in b.js as follows

import a from "./a"

Note

Once you import a.js into any file, all the logic inside it will be automatically executed (you can see the function execution at the end) because the function self executes.