Establishing communication through HTTPS proxy

[lely475]

Dear NVFlare community,

I am trying to establish connection between a provisioned NVFlare server and client.
The client is only able to communicate to the server through a HTTPS proxy that is handling all incoming and outgoing HTTPS traffic.
I am currently unable to establish the connection, where I get the following error from the server:

E0417 08:57:01.797394353  263815 ssl_transport_security.cc:1495] Handshake failed with fatal error SSL_ERROR_SSL: error:100000c0:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE.

And on client side:

start fl because process of 1269335 does not exist
new pid 2005945
Waiting for SP....
2023-04-21 10:07:00,777 - FederatedClient - INFO - Got the new primary SP:server-DN.com:443
2023-04-21 10:07:01,846 - Communicator - ERROR - Action: client_registration grpc communication error: <_InactiveRpcError of RPC that terminated with:
    status = StatusCode.UNAVAILABLE
    details = "failed to connect to all addresses"
    debug_error_string = "{"created":"@1682064421.846028672","description":"Failed to pick subchannel","file":"src/core/ext/filters/client_channel/client_channel.cc","file_line":3217,"referenced_errors":[{"created":"@1682064421.846027800","description":"failed to connect to all addresses","file":"src/core/lib/transport/error_utils.cc","file_line":165,"grpc_status":14}]}"

Is it possible that I need to place the client SSL certificate, private key and root certificate on the proxy, to enable a successful TLS handshake? Or should this not be a problem and the issue lies elsewhere?

Thank you already.

[YuanTingHsieh]

@lely475 thanks for your interest and question!

This is a very good question.

@yhwen @nvidianz @IsaacYangSLA do you know how can we configure our "project.yml" in this case?
We need to have client communicates with proxy and then proxy need to forward things to either 8002 or 8003.
Do we support this use case?

[yhwen]

NVFlare requires the direct client certificate for authentication. The proxy needs to be configured as to pass through the client certificate to the server.

[YuanTingHsieh]

@lely475 I know some teams successfully do this multi-hopping of network.

Can you try the 2.3 version of NVFlare?

The client certificates should put on client side and server certificates on server side same as a regular setup.

Your proxy needs to be a "pass through" as @yhwen suggested

[lely475]

Hi @YuanTingHsieh, I just realized I never closed this discussion. Yes, we are now using the 2.3 version of NVFlare. In the end it turned out not to be a proxy problem, but an incorrect whitelist on server side.