-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: expose ALPN in TLS handshake #422
Conversation
Hi @howardjohn. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
cc @inteon |
/ok-to-test |
Hiya! Thanks for contributing this fix. Looks like the golangci-lint check is failing. Specifically its complaining about the indentation now you have added the comment block, running Certificates: []tls.Certificate{tlsCert},
// Advertise ALPN, required in modern gRPC versions
// Typically gRPC sets this for us, but since this tls.Config ultimately gets returned in GetConfigForClient it doesn't.
- NextProtos: []string{"h2"},
- ClientAuth: tls.VerifyClientCertIfGiven,
- ClientCAs: peerCertVerifier.GetGeneralCertPool(),
+ NextProtos: []string{"h2"},
+ ClientAuth: tls.VerifyClientCertIfGiven,
+ ClientCAs: peerCertVerifier.GetGeneralCertPool(),
VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
err := peerCertVerifier.VerifyPeerCert(rawCerts, verifiedChains)
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the bug report and fix.
Could you add a tests/ modify our tests to make sure GRPC_ENFORCE_ALPN_ENABLED now works & will keep working in the future?
Also, do you know where in code this is normally auto-set when we are not using GetConfigForClient?
Should we just add a test for Istio 1.24 directly? Can use a pre-release in the meantime |
Adding an Istio 1.24 test sounds like a great solution. |
See cert-manager/istio-csr#422 for context Signed-off-by: John Howard <[email protected]>
@howardjohn In order to test istio 1.24, we will have to add a file here: https://github.com/cert-manager/istio-csr/tree/main/make/config/istio. We can locally test the test using the following command: |
Thanks, added it and also https://github.com/cert-manager/testing/pull/1066/files |
Can confirm, on this branch:
But if I copy the istio config and run the tests on the |
The errors were in the istio-proxy logs in my experience |
New versions of gRPC-go are enforcing the `h2` ALPN to be presented during the TLS handshake. See https://pkg.go.dev/google.golang.org/grpc/internal/envconfig#pkg-variables `GRPC_ENFORCE_ALPN_ENABLED`. The TLS server here isn't automatically getting this set due to usage of GetConfigForClient. This properly sets it. Without this, istio-csr will be incompatible with Istio 1.24, which upgrades the gRPC version. Note this can be worked around by setting `GRPC_ENFORCE_ALPN_ENABLED=false` on the proxy container, which Istio is able to do -- so there is an escape hatch for users. The Istio logs look like `"transport: authentication handshake failed: credentials: cannot check peer: missing selected ALPN property"` Signed-off-by: John Howard <[email protected]>
This worked for me:
|
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: inteon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Adding even though this has merged: I saw these errors in istio-proxy in the e2e tests without this change:
|
New versions of gRPC-go are enforcing the
h2
ALPN to be presented during the TLS handshake. Seehttps://pkg.go.dev/google.golang.org/grpc/internal/envconfig#pkg-variables
GRPC_ENFORCE_ALPN_ENABLED
. The TLS server here isn't automatically getting this set due to usage of GetConfigForClient.This properly sets it.
Without this, istio-csr will be incompatible with Istio 1.24, which upgrades the gRPC version. Note this can be worked around by setting
GRPC_ENFORCE_ALPN_ENABLED=false
on the proxy container, which Istio is able to do -- so there is an escape hatch for users.The Istio logs look like
"transport: authentication handshake failed: credentials: cannot check peer: missing selected ALPN property"