Grpc.Core.RpcException: Status(StatusCode="Unavailable", Detail="无法连接到所有地址;最后一个错误:UNKNOWN: SSL 握手失败")
Grpc.Core.RpcException: Status(StatusCode="Unavailable", Detail="failed to connect to all addresses; last error: UNKNOWN: Failed SSL handshake")
ID: dotnet/grpc-ssl-handshake-failed
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| .NET 6.0 | active | — | — | — |
| .NET 7.0 | active | — | — | — |
| .NET 8.0 | active | — | — | — |
| Grpc.Net.Client 2.49 | active | — | — | — |
| Grpc.Net.Client 2.52 | active | — | — | — |
根因分析
gRPC 客户端因协议不匹配、证书缺失或无效、或服务器不支持基于 TLS 的 HTTP/2 而导致 SSL/TLS 握手失败。
English
gRPC client fails SSL/TLS handshake with server due to mismatched protocols, missing or invalid certificates, or server not supporting HTTP/2 over TLS.
官方文档
https://learn.microsoft.com/en-us/aspnet/core/grpc/troubleshoot解决方案
-
确保服务器证书被客户端信任。使用 certmgr.msc 或更新 Linux CA 存储安装服务器的 CA 证书。
-
配置 gRPC 客户端使用特定 TLS 版本:AppContext.SetSwitch("System.Net.Http.SocketsHttpHandler.Http2UnencryptedSupport", false); 并设置 HttpClientHandler.SslProtocols = SslProtocols.Tls12; -
如果使用 .NET Core 3.1+ 且服务器使用自签名证书,添加客户端代码:var handler = new HttpClientHandler(); handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;(不适用于生产环境)。
无效尝试
常见但无效的做法:
-
Disable SSL validation entirely by setting ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }
90% 失败
Disabling SSL validation creates a severe security vulnerability and may not fix protocol-level mismatches like TLS version or cipher suite.
-
Use HTTP/1.1 instead of HTTP/2
95% 失败
gRPC requires HTTP/2; switching to HTTP/1.1 will cause protocol errors and the gRPC call will fail with a different error.
-
Set AppContext switch to ignore certificate revocation
85% 失败
Ignoring revocation does not address root cause of handshake failure (e.g., mismatched cipher suites or expired certificate).