# Grpc.Core.RpcException: Status(StatusCode="Unavailable", Detail="无法连接到所有地址；最后一个错误：UNKNOWN: SSL 握手失败")

- **ID:** `dotnet/grpc-ssl-handshake-failed`
- **领域:** dotnet
- **类别:** network_error
- **验证级别:** ai_generated
- **修复率:** 82%

## 根因

gRPC 客户端因协议不匹配、证书缺失或无效、或服务器不支持基于 TLS 的 HTTP/2 而导致 SSL/TLS 握手失败。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| .NET 6.0 | active | — | — |
| .NET 7.0 | active | — | — |
| .NET 8.0 | active | — | — |
| Grpc.Net.Client 2.49 | active | — | — |
| Grpc.Net.Client 2.52 | active | — | — |

## 解决方案

1. ```
   确保服务器证书被客户端信任。使用 certmgr.msc 或更新 Linux CA 存储安装服务器的 CA 证书。
   ```
2. ```
   配置 gRPC 客户端使用特定 TLS 版本：AppContext.SetSwitch("System.Net.Http.SocketsHttpHandler.Http2UnencryptedSupport", false); 并设置 HttpClientHandler.SslProtocols = SslProtocols.Tls12;
   ```
3. ```
   如果使用 .NET Core 3.1+ 且服务器使用自签名证书，添加客户端代码：var handler = new HttpClientHandler(); handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;（不适用于生产环境）。
   ```

## 无效尝试

- **Disable SSL validation entirely by setting ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }** — Disabling SSL validation creates a severe security vulnerability and may not fix protocol-level mismatches like TLS version or cipher suite. (90% 失败率)
- **Use HTTP/1.1 instead of HTTP/2** — gRPC requires HTTP/2; switching to HTTP/1.1 will cause protocol errors and the gRPC call will fail with a different error. (95% 失败率)
- **Set AppContext switch to ignore certificate revocation** — Ignoring revocation does not address root cause of handshake failure (e.g., mismatched cipher suites or expired certificate). (85% 失败率)