cisco-gnmi-python icon indicating copy to clipboard operation
cisco-gnmi-python copied to clipboard
verified publisher icon cisco-ie

Trying to connect with missing certificate_chain crashed python interpreter

Open miott opened this issue 5 years ago • 5 comments

Connection code did not find the certificate chain file and assigned python None to Client class which led to this error in grpc/_channel.py.

(Pdb) n
> /Users/miott/ysuite/install/yangsuite/venv/lib/python3.7/site-packages/grpc/_channel.py(1352)__init__()
-> _common.encode(target), _augment_options(core_options, compression),
(Pdb) n
> /Users/miott/ysuite/install/yangsuite/venv/lib/python3.7/site-packages/grpc/_channel.py(1353)__init__()
-> credentials)
(Pdb) n
E0812 17:49:57.641734000 123145481629696 ssl_credentials.cc:101]       assertion failed: pem_key_cert_pair->cert_chain != nullptr
Abort trap: 6

miott avatar Aug 12 '20 17:08 miott

Interesting - is this happening in ClientBuilder.construct? grpc.ssl_channel_credentials expects None to any of those args, uncertain the conditions which cause this.

remingtonc avatar Aug 12 '20 19:08 remingtonc

Yes, construct, but, really the crash happens initializing the "grpc._channel.Channel" class.

Here are the 3 parameters (certificate chain is None).

(Pdb) pp channel_creds._credentials._channel_credentials._certificate_chain
None
(Pdb) pp channel_creds._credentials._channel_credentials._pem_root_certificates
(b'-----BEGIN CERTIFICATE-----\nMIICnjCCAYYCCQDnpKTY6UDltDANBgkqhkiG9w0BAQsF'
 b'ADARMQ8wDQYDVQQDDAZy\nb290Q0EwHhcNMjAwMjEwMTU0MzQwWhcNNDcwNjI3MTU0MzQwWjA'
 b'RMQ8wDQYDVQQD\nDAZyb290Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGgC'
 b'aEVfyd\nQMcBxXbtAEOSEJXchEfM5GAL1b8aTVLKInZkHuenbNgFWJNElYaXsdpSgnkMft9P\n'
 b'IaGyEeaXvq78ZC7MXy1OKT58xG0LwBYsNeztEBxpge5djsEItb98TVEbrhPceuyi\nDLuse7O'
 b'mfe5vSPtTSzbgmB+7hRzJjgcsWt/LTp0r3m3jf8/tQ+OEJlF7TyN7Teo1\nGTsgoLcaIXAhs4'
 b'EV4B50PjvMxpkO7CDnNSCoD5K9VTme72wcXPv0BykK3LSUVWta\nWSxp6tCdxHvabocdiBfTN'
 b'PkWctRc37uBSa2D/7AgUBfE48opk0922O74YHm8PMw2\n5yjBOdhonFvpAgMBAAEwDQYJKoZI'
 b'hvcNAQELBQADggEBAJ0pgvK21GTq0RkgYe/c\n/db4YDM1StsNW/q+67eCMliZrNJfGjlacs8'
 b'uaY6+PwPCxY+CehJY0T2NpNlQuAhr\n+Fy6WUR+8FEFOSihPqN11EQPgyKsFt1F6FET1mTgBm'
 b'w2+3dnHSlJ3wAnW4IrH8Jw\nTqi3+KRzrDOqj3uX3CZZqFcwdweTiF2yu7TurNDSXky4RTIuo'
 b'pLehkN7oTo0TeWD\n5anQLPaNG6ifLwt1lISbLFaeKISnD5hha/ifvprmp0hOmKBT61L3TpYz'
 b'5nJ8jQwx\nLuteBmVTq6SaiQvcE2kzCFB2KBciCAstt2bF3u5V0DDEOQv1iQla2ULYF7EzKz5'
 b'F\nalU=\n-----END CERTIFICATE-----\n')
(Pdb) pp channel_creds._credentials._channel_credentials._private_key
(b'-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEA34Qlyxw+reu4//nIYa6+dDUM'
 b'A1wyyANb5FEAPXdiGN+nraQm\n8Y/mo2R4LiRDp6i2MIR+Kzfptctc1SKJ3QFUrje8VjuqRzW'
 b'gcERBU7Ujfjonpwmj\nlshYkST304cEPX4S/ys4eFT2aunBZvR+CJxhxBQNO7ROx3QvKFYHhL'
 b'YU8AQDW5XN\nIpCKVFQbtuZK4KdoL8MKaJ8bJ5SMnCGHmrXAhv1/xJb5c4QYwLG0hpzpM+WU8'
 b'Rm9\no2mi5w0Y0w/ziOd4tu58OOpF9PVp6CyqPFdQHZcPe1lQty6FdG4y0cn162BuCRfI\nHu6'
 b'Ab6gtcV3GwP38uJHyRU/6lxce3JYpZaOtXwIDAQABAoIBAQChQcPKf7ww2ioE\nc39ACkRZrp'
 b'PWMMRqTRIU7OORdPoPG/zrZ8y45qrtIuUZ1QwCf9PBuTUVlSdGA0wc\ncOipy/X+IzP7utwkt'
 b'+niVTwUWlEbFnXZKzkc5boQLW2m7HgArV6jPdll51ZI2BCy\naJ4tNDXMsvLBKlrTx1zmavrN'
 b'olgEuGcANJBoUHwdCil3s8Z6X/MDcJIC8knkkxYn\nQCb7PY9tKUQF4ks8OJHmOLxcvNSwUZB'
 b'H3iXUicbmotne4MSTaiJc4LqsS13EzrD8\nAODW8xVsjd6OhV0HKQpJIvXiZhGSkZv/pdtWcA'
 b'7X9CdNN4IuPsniSdqKFdFgf5OY\n2YFde9DBAoGBAPnG5kPVetqyMn2e/YDkJBLCv3D2auIlv'
 b'UaX0eajUhxwHpUi69Sv\nfK/UVHv/WD+iUk+O8J5KOIa15x6X0TwbTwalVRGCXA+KUShU4EzG'
 b'ZFmpEodNEviP\nlMQo7mzDhyw9oGMzNxJH9xkm0e2D1lbaK2j4SNkgH5SW92jNq0IEuTIvAoG'
 b'BAOUV\nwTHNB/mFDg7q8/EInfx+VNE0ll51c/tRq1MRgUZ+UuraSjBOaMUBfMW3EfoCKMoq\n2'
 b'HjrU5dw/tF+2wftYWef3DBPBcr+1whleONNwOkjS72TH1TIvcYtfHcj17bdq92Q\nnljXeogK'
 b'hgN0CcCWU/fKh+Zevcp9FM5jT2G0VVvRAoGBAJ1Q/eSJh5hIle5y/d15\nU5MRX7xJJ6aJ+H2'
 b'Gz6hBA01v/IMX/Ir3gEPKKu/yMmXZ2ZfMQpafzpxh41BsdFc0\nKADajwq5HTyYdGc/lgolBj'
 b'1GdKoNDD7LR/qIgSq1t+RQaD0ym6QC+Ym43o2G9K+9\nN4wknNVMGzfeIbO7nfq1uOL3AoGAA'
 b'aZeddVcMVfb+g+HIj1FpgPi6H7Qdm2yICU+\nbqK5o6BVSIu57Q8jgge4tlPTNVG+qXYViQlo'
 b'2LZfn3KicTQsd2qXU2G+UO/07IKO\nlFSDByrR6NOebiXj+AFr3A/OBesiyb245jrnDwPEY1H'
 b'6oAB1KluzDt2v0D2GYNYm\nRDXgR4ECgYEA1/3DArVA8N5hXZSNqwQw7P5gVgdpy/hbtvA61a'
 b'oqcBALXKdbWHB0\nv0qZkZlWabYzKLna0IKuOch0ONauLVqm2aG4fx0ZRdJsAdNkChcQcNTT7'
 b'9bg2DMj\ni1xPX8YSzZ4M1TglrUl28Xz+Sfghk1Zdp4tc3QXzxQ8SO8aWaJ2tDpw=\n-----EN'
 b'D RSA PRIVATE KEY-----\n')
(Pdb)

miott avatar Aug 12 '20 20:08 miott

Further testing, if either the private key or the client certificate are None, they both have to be None or you get a crash.

miott avatar Aug 12 '20 20:08 miott

I'm inclined to say that makes sense, but I don't FULLY understand certificates enough to know situations wherein the client key/cert paired wouldn't be necessary. We can add an exception for that condition - in general I usually have a rootCA.pem for CA, client.key for client key, and client.crt for client certificate, and sometimes only the CA. Do you have a use case otherwise?

remingtonc avatar Aug 13 '20 00:08 remingtonc

NXOS at first only provided the rootCA.pem and host override name. That also connects successfully for XE. From my limited investigation of TLS, I think that works because the actual root authority is the Cisco device itself. If it was a 3rd party, not so sure that would end in a successful connection.

miott avatar Aug 13 '20 14:08 miott