Skip to content

Commit

Permalink
credentials/tls: default GRPC_ENFORCE_ALPN_ENABLED to true (#7535)
Browse files Browse the repository at this point in the history
  • Loading branch information
arjan-bal authored Sep 4, 2024
1 parent 92111dc commit 70f19ee
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 4 deletions.
10 changes: 8 additions & 2 deletions credentials/credentials_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,10 @@ func tlsServerHandshake(conn net.Conn) (AuthInfo, error) {
if err != nil {
return nil, err
}
serverTLSConfig := &tls.Config{Certificates: []tls.Certificate{cert}}
serverTLSConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
NextProtos: []string{"h2"},
}
serverConn := tls.Server(conn, serverTLSConfig)
err = serverConn.Handshake()
if err != nil {
Expand All @@ -307,7 +310,10 @@ func tlsServerHandshake(conn net.Conn) (AuthInfo, error) {
}

func tlsClientHandshake(conn net.Conn, _ string) (AuthInfo, error) {
clientTLSConfig := &tls.Config{InsecureSkipVerify: true}
clientTLSConfig := &tls.Config{
InsecureSkipVerify: true, // NOLINT
NextProtos: []string{"h2"},
}
clientConn := tls.Client(conn, clientTLSConfig)
if err := clientConn.Handshake(); err != nil {
return nil, err
Expand Down
5 changes: 4 additions & 1 deletion credentials/xds/xds_client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,10 @@ func testServerTLSHandshake(rawConn net.Conn) handshakeResult {
if err != nil {
return handshakeResult{err: err}
}
cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
cfg := &tls.Config{
Certificates: []tls.Certificate{cert},
NextProtos: []string{"h2"},
}
conn := tls.Server(rawConn, cfg)
if err := conn.Handshake(); err != nil {
return handshakeResult{err: err}
Expand Down
1 change: 1 addition & 0 deletions credentials/xds/xds_server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ func makeClientTLSConfig(t *testing.T, mTLS bool) *tls.Config {
// verification function. So, the server credentials tests will rely
// solely on the success/failure of the server-side handshake.
InsecureSkipVerify: true,
NextProtos: []string{"h2"},
}
}

Expand Down
2 changes: 1 addition & 1 deletion internal/envconfig/envconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ var (
// option is present for backward compatibility. This option may be overridden
// by setting the environment variable "GRPC_ENFORCE_ALPN_ENABLED" to "true"
// or "false".
EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", false)
EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", true)
// XDSFallbackSupport is the env variable that controls whether support for
// xDS fallback is turned on. If this is unset or is false, only the first
// xDS server in the list of server configs will be used.
Expand Down

0 comments on commit 70f19ee

Please sign in to comment.