mTLS setup

I’m trying the mTLS configuration on the ledger. The Ledger API is set to use optional client mutual authentication. I got error messages when runing

daml ledger list-parties --host 1.2.3.4 --tls --cacrt ca.crt

Listing parties at 1.2.3.4:6865
E0527 11:07:41.141000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.219000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.313000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.454000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:41.704000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:42.157000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:43.001000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:44.048000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:45.094000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
E0527 11:07:46.141000000  5708 external/com_github_grpc_grpc/src/core/tsi/ssl_transport_security.cc:1455] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
daml-helper: GRPCIOTimeout

Any clue?

Hi @Frankie,
I tried to reproduce this on SDK 1.13.1 with the following commands

daml sandbox --cacrt ca.crt --crt server.crt --pem server.pem --client-auth optional
daml ledger list-parties --host localhost --port 6865 --cacrt ca.crt --tls

However, that works just fine for me.
Are you running on a different SDK version?

We got 1.11.1. Will try it with later version.

You can also use commands like the following:

openssl s_client -host <IP> -port 6865 -status -tlsextdebug -CAfile ca.cert.pem -cert client.cert.pem -certform PEM -key client.key.pem -keyform PEM -tls1_2

to validate that the server came up with mTLS enabled This should connect with TLS and return the server cert details.

Thank you for that cmd, I’ll place that into my Testing Tools