Create a secure Grpc Channel without specifying certificates

rey1996 · wrote on 19 Apr 2024, 21:19

Hello.
I was able to create a secured channel, without need of specifying certificates, using Grpc library in the following way:
auto channel_creds = grpc::SslCredentials(grpc::SslCredentialsOptions());
auto channel = grpc::CreateChannel("server.adress:443", channel_creds);
Now, I need to use Qt Grpc in Qt 6.7 and connect to the same server. But I can't find a way to do this.
I tried to add sslConfiguration to Channel Options with QSslConfiguration::defaultConfiguration(). But I keep receive this error:
Error occurred( QAbstractSocket::RemoteHostClosedError ): "The TLS/SSL connection has been closed"
An the the following error related to the Grpc request:
Error occurred: QGrpcStatus::Unavailable "Network error occurred 1"

Is there a way of setting a Ssl connection without specifying certificates like the way I used to do with Grpc library?

I found there was a QGrpcSslCredentials class back in Qt6.5, that maybe had something to do with that, but it's not longer available in Qt6.7 according to documentation.

ChrisW67 · 20 Apr 2024, 14:17

@rey1996 Do you have the OpenSSL libraries in your runtime environment?

rey1996 · 21 Apr 2024, 03:43

@ChrisW67 I've been thinking that maybe it's something related to OpenSsl because I had to downgrade it once to version 1.0 in order to run a project developed in Qt 5.15. But I've been using QSslConfiguration in Qt 6.7 with Mqtt to call connectToHostEncrypted() and works fine.
That's why I haven't tried to upgrade OpenSsl again.

ChrisW67 · 22 Apr 2024, 04:17

@rey1996 As long as Qt 6.7 is finding OpenSSL 1.1.1 or later, and Qt 5.15 finds OpenSSL 1.0.x all should be well.

rey1996 · 22 Apr 2024, 18:34

@ChrisW67 I checked. I have installed OpenSsl 1.1.1.
I run other test. I was able to connect to the server using QSslSocket with default QSslConfiguration. So that proves that OpenSsl is working fine.
But still I can't connect using Qt Grpc library.

SGaist · 24 Apr 2024, 13:46

Hi,

Did you try to analyze the communication using something like wireshark to see what happens differently between the two variants ?

rey1996 · S SGaist 22 Apr 2024, 18:34

@SGaist Hi.
I haven't tried that. I switched back to gRPC library. And it's working perfectly. But I'll try with Wireshark and see what's happening. Thank you.

semlanik · wrote on 14 May 2024, 15:07

It should work in general. I suspect you use the self-signed certificate somewhere in your server certificate chain. If so you must probably need to set the respective options, especially https://doc.qt.io/qt-6/qsslconfiguration.html#setPeerVerifyMode , to VerifyNone

talksik · wrote on 21 Jun 2024, 20:07

Has anyone found a workaround here? I have a grpc server behind a load balancer that I successfully hit with grpcurl, postman, and golang client. However, it doesn't work with QGrpc using

qt.network.http2: stream 1 finished with error: "Connection 
greeterviewmodel: error occurred:  "" QGrpcStatus::Unavailable
qt.network.http2: stream 3 finished with error: "Connection closed"

talksik · wrote on 21 Jun 2024, 20:55

Okay, for some reason, I needed to set the QSslConfiguration's setAllowedNextProtocols({ "h2" }). Leaky abstraction, poor API design, but I can understand it because the Ssl configuration is not just used for grpc servers, but also just standard rest apis and socket connections.

This is something that the Qt team likely didn't test. I will log it in the bug report. Perhaps QGrpcChannelOptions.setSslConfiguration should take a wrapper function or QSslConfiguration should have a defaultGrpcConfiguration? Or maybe just better docs for this, as I'm sure enterprise customers will need secure channel for grpc.