Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

credentials/tls: default GRPC_ENFORCE_ALPN_ENABLED to true #7535

Merged
merged 3 commits into from
Sep 4, 2024
Merged

credentials/tls: default GRPC_ENFORCE_ALPN_ENABLED to true #7535

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f57b22d
Set default EnforceALPNEnabled option to true
arjan-bal Aug 19, 2024
cb7cb1e
Add ALPN fields in fake test server and client
arjan-bal Aug 19, 2024
1b94310
turn of insecure TLS linter for unit test
arjan-bal Aug 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions credentials/credentials_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,10 @@ func tlsServerHandshake(conn net.Conn) (AuthInfo, error) {
if err != nil {
return nil, err
}
serverTLSConfig := &tls.Config{Certificates: []tls.Certificate{cert}}
serverTLSConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
NextProtos: []string{"h2"},
}
serverConn := tls.Server(conn, serverTLSConfig)
err = serverConn.Handshake()
if err != nil {
Expand All @@ -307,7 +310,10 @@ func tlsServerHandshake(conn net.Conn) (AuthInfo, error) {
}

func tlsClientHandshake(conn net.Conn, _ string) (AuthInfo, error) {
clientTLSConfig := &tls.Config{InsecureSkipVerify: true}
clientTLSConfig := &tls.Config{
InsecureSkipVerify: true, // NOLINT
NextProtos: []string{"h2"},
}
clientConn := tls.Client(conn, clientTLSConfig)
if err := clientConn.Handshake(); err != nil {
return nil, err
Expand Down
5 changes: 4 additions & 1 deletion credentials/xds/xds_client_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,10 @@ func testServerTLSHandshake(rawConn net.Conn) handshakeResult {
if err != nil {
return handshakeResult{err: err}
}
cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
cfg := &tls.Config{
Certificates: []tls.Certificate{cert},
NextProtos: []string{"h2"},
}
conn := tls.Server(rawConn, cfg)
if err := conn.Handshake(); err != nil {
return handshakeResult{err: err}
Expand Down
1 change: 1 addition & 0 deletions credentials/xds/xds_server_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ func makeClientTLSConfig(t *testing.T, mTLS bool) *tls.Config {
// verification function. So, the server credentials tests will rely
// solely on the success/failure of the server-side handshake.
InsecureSkipVerify: true,
NextProtos: []string{"h2"},
}
}

Expand Down
2 changes: 1 addition & 1 deletion internal/envconfig/envconfig.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ var (
// option is present for backward compatibility. This option may be overridden
// by setting the environment variable "GRPC_ENFORCE_ALPN_ENABLED" to "true"
// or "false".
EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", false)
EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", true)
// XDSFallbackSupport is the env variable that controls whether support for
// xDS fallback is turned on. If this is unset or is false, only the first
// xDS server in the list of server configs will be used.
Expand Down
Loading