mTLS setup

Frankie · May 27, 2021, 1:22am

I’m trying the mTLS configuration on the ledger. The Ledger API is set to use optional client mutual authentication. I got error messages when runing

daml ledger list-parties --host 1.2.3.4 --tls --cacrt ca.crt

Listing parties at 1.2.3.4:6865
E0527 11:07:41.141000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.219000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.313000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.454000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.704000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:42.157000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:43.001000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:44.048000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:45.094000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:46.141000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
daml-helper: GRPCIOTimeout

Any clue?

cocreature · May 27, 2021, 7:23am

Hi @Frankie,
I tried to reproduce this on SDK 1.13.1 with the following commands

daml sandbox --cacrt ca.crt --crt server.crt --pem server.pem --client-auth optional
daml ledger list-parties --host localhost --port 6865 --cacrt ca.crt --tls

However, that works just fine for me.
Are you running on a different SDK version?

Frankie · May 27, 2021, 1:09pm

We got 1.11.1. Will try it with later version.

nycnewman · May 28, 2021, 4:11pm

You can also use commands like the following:

openssl s_client -host <IP> -port 6865 -status -tlsextdebug -CAfile ca.cert.pem -cert client.cert.pem -certform PEM -key client.key.pem -keyform PEM -tls1_2

to validate that the server came up with mTLS enabled This should connect with TLS and return the server cert details.

quidagis · August 4, 2021, 2:46am

Thank you for that cmd, I’ll place that into my Testing Tools

Topic		Replies	Views
What version of TLS is supported by the Ledger API? Questions daml , java , ledger-api	11	586	January 27, 2021
TLS 1.3 on grpc Questions ledger-api	4	801	February 3, 2022
Using daml script with tls enabled ledger Questions daml , script	3	799	August 21, 2020
OpenSSL error when connecting json api jar to daml-on-sql jar with TLS Questions	2	876	April 27, 2021
Unable to load OpenSSL in canton executable Questions grpc , ledger-api , canton , security	1	429	May 12, 2023

mTLS setup

Related topics