Encrypted gRPC connection does not work

Hi community,

I would very appreciate if someone has some ideas or hints for setup of gRPC encrypted connection.

An issue is that from our client (windows 10) we can not establish encrypted connection (unencrypted one over gRPC works well). What we did so far:

  • Followed official gRPC configuration (step-by-step)
  • Setup server-side certificate (already twice) (we followed similar steps on dev environment and it worked well)
  • Opened local windows firewall and main firewall on port 7766 and verified that traffic is coming through
  • Installed client on windows 10 machine

After some wire shark capturing, I could see that client is constantly sending connection request over TLSv1. After that we enabled explicitly TLS1.2 on server (restarted server) and have done the same on client (even though windows 10 clients should natively support TLS1.2). Also restarted machine afterwards. Unfortunately connection is still not getting established when using encrypted connection. I have captured traffic again and could see that client again sent packages using TLSv1 protocol.

I read couple of topics regarding problem with server side certificate but as we tried to create it twice and we were successful on dev environment, I would assume certificate should be correct.

Checking my dev client machine, I could not see any specific configuration for TLS (no secure channel configs or similar). It is also windows 10 PC.

I know this is hard to answer but still curious if someone has experienced similar problems or behavior. My understanding is that gRPC connection expects TLS1.2 for encryption. Could it still be a certificate? Certificates are not bound to protocol as I know.

Any hint would be more than welcome.

Thanks.

Dejan

  • I had some difficulties installing the certificates on a server lately. If I remember correctly I tried at first to do it from Admin directly on the server. It did not work until I did the same from Admin on a client computer which at the time was connected via RPC over HTTPS. Not sure why that was, but it solved the problem for me.

  • Hi Karl,

    Thanks for quick answer. Actually we have setup server certificate without problems. We used official documentation and the same approach worked well on dev environment. My gut feeling tells me it must be the protocol packages are sent behind (TLSv1). Unfortunately I don't find a way to force client to use TLS1.2. it is really strange.

  • If your client can connect to the development environment, then I'm pretty sure the problem is not on the client side. Also, if the client can connect to the server without encryption then, in my opinion, everything points at the certificates. You can easily check from Admin on a remote client.

    As for TLS I would recommend disabling TLS 1.1 and lower on the server. That should force all clients to use TLS 1.2 or not connect at all. There is no good reason to leave the old protocols available as options on the server.

  • Hi again, 

    Thanks for feedback. We have disabled all older TLS versions on server and just kept TLS1.2. Still client is trying to establish connection with TLSv1. 

    Do you have any recommendation how to check if server certificate is correct? I can see it is configured on server but not quite sure how to check if it is valid, at least server is not providing any error when it is setup.

    Thanks.

    Dejan

  • My best advice would be to check from Admin on a client computer. For some reason it does not always look the same as when checking directly from the server.

  • Hi again, 

    We have solved an issue with secure protocols and have set it up now correctly so both server and client are using TLS1.2 as expected. Unfortunately, the connection is still not established. So I assume that it must be a server certificate.

    We will try to issue new certificate tomorrow again. 

    Have you ever used following configuration for logging: HKEY_LOCAL_MACHINE\Software\Motive\M-Files\<version>\<component>\<application>\Logging\grpc?

    We have tried but could not see any logs written into event log. Or does M-Files log it somewhere else?

    Perhaps we configured something wrong.

    I really hope to find this problem.

    Thanks again.

    Dejan

  • M-Files logging is stored separately. One of my servers has it in D:\Temp\MFilesLogs.
    Right now I do not recall where this is defined, but check in your Temp folder on the server if there is a folder for MFilesLogs

  • Just to update on this one: unfortunately for loggings we were not able to find solutions. I have tried client and server config but it has not worked well and we could not find any logs anywhere.

    Regarding our problem: we have found solution! The problem was related to certificate; it seems we have not correctly format our certificate to PEM format. It is really important to follow all those steps mentioned in gRPC document.

    Nevertheless thanks again!