mTLS setup

I’m trying the mTLS configuration on the ledger. The Ledger API is set to use optional client mutual authentication. I got error messages when runing

daml ledger list-parties --host 1.2.3.4 --tls --cacrt ca.crt

Listing parties at 1.2.3.4:6865
E0527 11:07:41.141000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.219000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.313000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.454000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.704000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:42.157000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:43.001000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:44.048000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:45.094000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:46.141000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
daml-helper: GRPCIOTimeout

Any clue?

1 Like

Hi @Frankie,
I tried to reproduce this on SDK 1.13.1 with the following commands

daml sandbox --cacrt ca.crt --crt server.crt --pem server.pem --client-auth optional
daml ledger list-parties --host localhost --port 6865 --cacrt ca.crt --tls

However, that works just fine for me.
Are you running on a different SDK version?

2 Likes

We got 1.11.1. Will try it with later version.

1 Like

You can also use commands like the following:

openssl s_client -host <IP> -port 6865 -status -tlsextdebug -CAfile ca.cert.pem -cert client.cert.pem -certform PEM -key client.key.pem -keyform PEM -tls1_2

to validate that the server came up with mTLS enabled This should connect with TLS and return the server cert details.

3 Likes

Thank you for that cmd, I’ll place that into my Testing Tools :+1:t2:

1 Like