Issue using SSL certificates with SAN (Subject Alternate Name) in c++ grpc

[chirupan]

GRPC Version - 1.37.0-dev openssl version - 1.1.1

Steps to reproduce :-

1. Generate CA root, server and client keys/certificates for mutual SSL authentication using the steps as attached in gen_certs.sh
2. Provide an extension file named ssl.cnf so that alternate subject domain names can be inserted while generating server/client certificates.
3. Both pairs of server and client certificates are used in c++ server & client applications.

Expected result :- API's should be triggered without any errors.

Actual result :- Get the below error message on the client side

Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. 14: failed to connect to all addresses RPC failed

However , if the certificates are generated without the SAN feature, calls are triggered successfully. I'm stuck here since past 3 days and a prompt help would be highly appreciated. I need to understand what would be the correct way of generating the client/server certificates with the SAN option certificates.zip

[chirupan]

These are the logs of the server when GRPC_VERBOSITY=DEBUG and GRPC_TRACE=all

26917 security_handshaker.cc:184] Security handshake failed: {"created":"@1627635296.957997374","description":"Cannot check peer: missing selected ALPN property.","file":"/home/chirag/grpc/src/core/lib/security/security_connector/ssl_utils.cc","file_line":160} I0730 14:24:56.958030785 26917 tcp_posix.cc:1219] TCP:0x7f9e40001630 got_error: {"created":"@1627635296.958023137","description":"FD Shutdown","file":"/home/chirag/grpc/src/core/lib/iomgr/lockfree_event.cc","file_line":199,"referenced_errors":[{"created":"@1627635296.957997374","description":"Cannot check peer: missing selected ALPN property.","file":"/home/chirag/grpc/src/core/lib/security/security_connector/ssl_utils.cc","file_line":160}]} I0730 14:24:56.958039161 26917 handshaker.cc:129] handshake_manager 0x7f9e400020e0: error={"created":"@1627635296.957997374","description":"Cannot check peer: missing selected ALPN property.","file":"/home/chirag/grpc/src/core/lib/security/security_connector/ssl_utils.cc","file_line":160} shutdown=0 index=1, args={endpoint=(nil), args=(nil) {size=0: }, read_buffer=(nil) (length=0), exit_early=0} I0730 14:24:56.958044709 26917 handshaker.cc:162] handshake_manager 0x7f9e400020e0: handshaking complete -- scheduling on_handshake_done with error={"created":"@1627635296.957997374","description":"Cannot check peer: missing selected ALPN property.","file":"/home/chirag/grpc/src/core/lib/security/security_connector/ssl_utils.cc","file_line":160} I0730 14:24:56.958050679 26917 timer_generic.cc:470] TIMER 0x7f9e40002148: CANCEL pending=true D0730 14:24:56.958056823 26917 chttp2_server.cc:253] Handshaking failed: {"created":"@1627635296.957997374","description":"Cannot check peer: missing selected ALPN property.","file":"/home/chirag/grpc/src/core/lib/security/security_connector/ssl_utils.cc","file_line":160} I0730 14:24:56.958098938 26917 resource_quota.cc:953] RQ anonymous_pool_140317655307360 ipv4:192.168.0.104:56882: free 8192; free_pool -> 8192 I0730 14:24:56.958122134 26917 resource_quota.cc:553] RU shutdown 0x7f9e40001f60