Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.

[Kliton]

No description provided.

[Kliton]

Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.

[danbopes]

+1 same error here.

[vindu939]

+1 same error here

[srz09]

+1

[rochdev]

Same error. Anybody figured it out yet?

[njpatel]

Hi, I've been busy recently but I'll take a look at this tomorrow evening. Does anyone have a test case or a way to reproduce the error?

[danbopes]

I'm pretty sure it's just a newer version of grpc. Fire up the latest version, and you should get the error.

[Kliton]

I have faced that i was missing the -i flag.
C

[rochdev]

@Kliton Please reopen as this is still an issue when actually using SSL and thus not using the -i flag on purpose

[njpatel]

I've been doing some digging and i found the following links, maybe that'll help debug the issue:

grpc/grpc#9761
grpc/grpc#6757

Can I confirm that your servers & client machines have the root ca-certificates installed and you're not passing in a specific certificates? (And, if not, please describe the ssl setup you're using).

[njpatel]

It might also be worth upgrading your grpcc and testing with latest (v1.0.0). If you continue to have the issue, I'd appreciate it if you provide some details (see my comment above). Cheers.

[mistersms]

hello,
is the problem an old version of openssl?
i have the same issue and i am trying updating openssl at the moment...

[rejeeshchandran]

Hello, I am also facing this issue

E0622 13:02:23.663000000  4784 src/core/tsi/ssl_transport_security.cc:1063] Handshake failed with fatal error SSL_ERROR_SSL: error:10000095:SSL routines:OPENSSL_internal:ERROR_PARSING_EXTENSION.
Traceback (most recent call last):
  File "ttn_demo.py", line 11, in <module>
    handler = ttn.HandlerClient(app_id, access_key)
  File "D:\Rejeesh\ADVANC~1\LINKED~1\DJANGO~1\env\lib\site-packages\ttn\handler.py", line 30, in __init__
    self.__open(discovery_address)
  File "D:\Rejeesh\ADVANC~1\LINKED~1\DJANGO~1\env\lib\site-packages\ttn\handler.py", line 39, in __open
    self.announcement = discovery.get_by_app_id(self.app_id)
  File "D:\Rejeesh\ADVANC~1\LINKED~1\DJANGO~1\env\lib\site-packages\ttn\discovery.py", line 48, in get_by_app_id
    return self.client.GetByAppID(req)
  File "D:\Rejeesh\ADVANC~1\LINKED~1\DJANGO~1\env\lib\site-packages\grpc\_channel.py", line 500, in __call__
    return _end_unary_response_blocking(state, call, False, None)
  File "D:\Rejeesh\ADVANC~1\LINKED~1\DJANGO~1\env\lib\site-packages\grpc\_channel.py", line 434, in _end_unary_response_blocking
    raise _Rendezvous(state, None, None, deadline)
grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with (StatusCode.NOT_FOUND, discovery:app_id:0x70B3D57ED000F8FF not found)>

[ErikNeudert]

I know this error from when I was working with a tomcat.
The Problem was, that I was trying to connect with TLSv1, while it only allowed TLSv1.1.

[areliszxz]

date una vuelta por https://github.com/areliszxz/nginx-grpc-grpcs
asi nomas te digo usa NGINX para hacer debug y asegurate de tener bien los certificados la mayoria de estos problemas son por la cominicacion del
cliente-servidor [Servidor WEB apache o nginx u otro] servidor-cliente
te recomiento nginx-debug para ver como esta entrando la peticion, es un poco mas claro en ese aspecto

[zlygostev]

The same problem with grpc 1.18.0 . The C++ server and the C++ client are run on the same host.
OS - CentOS 7 with the last updates on a moment.
Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.
TLS Connection with a check of user cert
Client side

		grpc::SslCredentialsOptions ssl_opts = {
				file::getBinaryContent<grpc::string>(cacert),
				file::getBinaryContent<grpc::string>(key),
				file::getBinaryContent<grpc::string>(cert)
			};
		auto channel_creds = grpc::SslCredentials(ssl_opts);
		auto channel = grpc::CreateChannel(server, channel_creds);
		client.reset(new Client(channel));

Server side

		grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp = {
			file::getBinaryContent<grpc::string>(GetConfig().serverSettings().key),
			file::getBinaryContent<grpc::string>(GetConfig().serverSettings().cert)
		};
		grpc::SslServerCredentialsOptions
		ssl_opts(GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY);

		//ssl_opts.force_client_auth = true;
		ssl_opts.pem_root_certs = file::getBinaryContent<grpc::string>(
			GetConfig().serverSettings().cacert);

		ssl_opts.pem_key_cert_pairs.push_back(pkcp);

		builder.AddListeningPort(GetConfig().serverSettings().address,
			grpc::SslServerCredentials(ssl_opts));

A same situation if I remove client certificate check autentification.
Note, server is accessible by Windows C# client.
ldd server
linux-vdso.so.1 => (0x00007ffea3161000)
libz.so.1 => /lib64/libz.so.1 (0x00007f0b7a7e0000)
libgrpc++.so.1 => /usr/local/lib/libgrpc++.so.1 (0x00007f0b7a54f000)
libgrpc.so.7 => /usr/local/lib/libgrpc.so.7 (0x00007f0b7a1c2000)
libcassandra.so.2 => /lib64/libcassandra.so.2 (0x00007f0b79db9000)
libgrpc++_reflection.so.1 => /usr/local/lib/libgrpc++_reflection.so.1 (0x00007f0b799df000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f0b797db000)
libboost_program_options.so.1.53.0 => /lib64/libboost_program_options.so.1.53.0 (0x00007f0b79569000)
libboost_system.so.1.53.0 => /lib64/libboost_system.so.1.53.0 (0x00007f0b79365000)
libboost_thread-mt.so.1.53.0 => /lib64/libboost_thread-mt.so.1.53.0 (0x00007f0b7914e000)
libboost_system-mt.so.1.53.0 => /lib64/libboost_system-mt.so.1.53.0 (0x00007f0b78f4a000)
librt.so.1 => /lib64/librt.so.1 (0x00007f0b785fb000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f0b782f4000)
libm.so.6 => /lib64/libm.so.6 (0x00007f0b77ff2000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f0b77ddc000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0b77bc0000)
libc.so.6 => /lib64/libc.so.6 (0x00007f0b777f3000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0b7a9f6000)
libprofiler.so.0 => /lib64/libprofiler.so.0 (0x00007f0b775df000)
libgpr.so.7 => /usr/local/lib/libgpr.so.7 (0x00007f0b773d3000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007f0b77161000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f0b76d00000)
libuv.so.1 => /lib64/libuv.so.1 (0x00007f0b76ad4000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f0b768ba000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0b766a1000)
libtinyxml2.so.2 => /lib64/libtinyxml2.so.2 (0x00007f0b7648c000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f0b7623f000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f0b75f56000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f0b75d52000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f0b75b1f000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f0b7590f000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f0b7570b000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f0b754e4000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f0b75282000)
If it helps
$ yum info openssl
Name : openssl
Version : 1.0.2k
Release : 16.el7
Size : 814 k
Grpc libs were built by standart procedure from git sources v1.18.0
Server side logs
I0328 14:44:39.401028274 51500 tcp_posix.cc:419] READ 0x7f2d100033b0 (peer=ipv4:127.0.0.1:60320): 50 52 49 20 2a 20 48 54 54 50 2f 32 2e 30 0d 0a 0d 0a 53 4d 0d 0a 0d 0a 00 00 24 04 00 00 00 00 00 00 02 00 00 00 00 00 03 00 00 00 00 00 04 00 40 00 00 00 05 00 40 00 00 00 06 00 00 20 00 fe 03 00 00 00 01 00 00 04 08 00 00 00 00 00 00 3f 00 01 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 'PRI * HTTP/2.0....SM......$.....................@.....@...... .................?...................'
I0328 14:44:39.401083475 51500 ssl_transport_security.cc:217] HANDSHAKE START - before/accept initialization - UNKWN
I0328 14:44:39.401145076 51500 ssl_transport_security.cc:217] LOOP - before/accept initialization - UNKWN
E0328 14:44:39.401183077 51500 ssl_transport_security.cc:1233] Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.
D0328 14:44:39.401207777 51500 security_handshaker.cc:138] Security handshake failed: {"created":"@1553773479.401192077","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":257,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
I0328 14:44:39.401217478 51500 ev_posix.cc:273] (fd-trace) fd_shutdown(17)
I0328 14:44:39.401246278 51500 handshaker.cc:212] handshake_manager 0x7f2d10003850: error={"created":"@1553773479.401192077","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":257,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"} shutdown=0 index=1, args={endpoint=(nil), args=(nil) {size=0: (null)}, read_buffer=(nil) (length=0), exit_early=0}
I0328 14:44:39.401255578 51500 handshaker.cc:245] handshake_manager 0x7f2d10003850: handshaking complete -- scheduling on_handshake_done with error={"created":"@1553773479.401192077","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":257,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
D0328 14:44:39.401264079 51500 chttp2_server.cc:123] Handshaking failed: {"created":"@1553773479.401192077","description":"Handshake failed","file":"src/core/lib/security/transport/security_handshaker.cc","file_line":257,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
I0328 14:44:39.401314680 51500 ev_posix.cc:266] (fd-trace) grpc_fd_orphan, fd:17 closed
Client side logs:
D0328 14:52:22.295158717 51791 call.cc:720] {"created":"@1553773942.295146117","description":"Error received from peer","file":"src/core/lib/surface/call.cc","file_line":1036,"grpc_message":"Socket closed","grpc_status":14}
I0328 14:52:22.295167218 51791 completion_queue.cc:699] cq_end_op_for_next(cq=0x7fa9d400f1f0, tag=0x7fa9d40108a8, error="No Error", done=0x7fa9dea0b7e0, done_arg=0x7fa9d4010c10, storage=0x7fa9d4010c60)
I0328 14:52:22.295180218 51791 chttp2_transport.cc:2590] ipv4:127.0.0.1:50051: Complete BDP ping err={"created":"@1553773942.294964413","description":"Endpoint read failed","file":"src/core/ext/transport/chttp2/transport/chttp2_transport.cc","file_line":2491,"occurred_during_write":0,"referenced_errors":[{"created":"@1553773942.294925313","description":"Socket closed","fd":10,"file":"src/core/lib/iomgr/tcp_posix.cc","file_line":479,"grpc_status":14,"target_address":"ipv4:127.0.0.1:50051"}]}

Reproduced on certifactes
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -subj "/C=RU/ST=RU/O=RU/CN=host" -out rootCA.crt
openssl req -new -sha256 -key server.key -subj "/C=RU/ST=CA/O=MyOrg, Inc./CN=host" -out server.csr
openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256
cp -f server.key client.key
cp -f server.crt client.crt
Same certificates works with C# gRPC client from windows host.

[mahendrabagul]

Any updates on this issue? I am also getting the same error.