Secure connection unknown failure

[george-gayton-opsydia]

I am attempting to implement TLS authentication on a dart client communicating with a asp.net server via gRPC.

I am using default values on the client side:

final channel = ClientChannel(hostname,
        port: port,
        options: ChannelOptions(
            credentials: ChannelCredentials.secure(
              onBadCertificate: (cert,host) => true
            )));

I would expect the server to fail at authorizing the client, but when making a gRPC call from the dart app I get:

[ERROR:flutter/runtime/dart_vm_initializer.cc(40)] Unhandled Exception: gRPC Error (code: 2, codeName: UNKNOWN, message: HTTP/2 error: Connection error: Connection is being forcefully terminated. (errorCode: 10), details: null, rawResponse: null, trailers: {})

with no logs on the server-side.

If I attempt to connect to https://localhost:5400 via a browser, I get the expected behaviour: server fails to authenticate the client cert.

I have another C# client that connects to the server and has no problems with authentication.

I had no problems prior when using insecure connection to the server.

Using WireShark, I see the response:

438	1.702108	127.0.0.1	127.0.0.1	TLSv1.2	561	Client Hello (SNI=localhost)
439	1.702198	127.0.0.1	127.0.0.1	TCP	44	5400 → 31323 [ACK] Seq=1 Ack=518 Win=2619648 Len=0
440	1.705448	127.0.0.1	127.0.0.1	TLSv1.2	2389	Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
441	1.705534	127.0.0.1	127.0.0.1	TCP	44	31323 → 5400 [ACK] Seq=518 Ack=2346 Win=2617344 Len=0
458	1.709348	127.0.0.1	127.0.0.1	TLSv1.2	214	Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
459	1.709433	127.0.0.1	127.0.0.1	TCP	44	5400 → 31323 [ACK] Seq=2346 Ack=688 Win=2619392 Len=0
460	1.711148	127.0.0.1	127.0.0.1	TLSv1.2	95	Change Cipher Spec, Encrypted Handshake Message
461	1.711215	127.0.0.1	127.0.0.1	TCP	44	31323 → 5400 [ACK] Seq=688 Ack=2397 Win=2617344 Len=0
462	1.711308	127.0.0.1	127.0.0.1	TLSv1.2	75	Encrypted Alert

The server shutdowns this message with Encrypted Alert, leading to the error in dart shown above with no indication from logs as to why. Given two independent methods of connecting to the server give the expected behaviour, I suspect that the dart client to be the cause.

I'm at a bit of a loss of what to investigate next so any suggestions welcome.

[george-gayton-opsydia]

Solved.

By relaxing authentication rules on the server, I was able to find out that the client certificate was always empty.

Turns out you must include your private key to the security context even if it is included in the loaded .pfx file.

Is it expected that you can load a client cert without a private key? It seems that you will always fail otherwise.