-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: mTLS server and client setup and docs #1781
Conversation
plugin-tester-scala/src/main/scala/example/myapp/helloworld/MtlsGreeterServer.scala
Outdated
Show resolved
Hide resolved
Co-authored-by: Patrik Nordwall <patrik.nordwall@gmail.com>
Caveat: not sure the added SSL context setup doesn't break all kinds of things when not doing mTLS, hoping CI will tell me |
Some more testing/digging, the client SSLContext translation only happens when a custom SSLContext is defined, so regular use without that is completely unaffected by this, and I think all such customisation was broken based on what @patriknw noticed when trying to set up a custom context to accept a self-signed cert, which then worked with this patch. So: ready for final review/merge |
I'll add a test covering this as well, so we notice if we break TLS setup again |
I tested this with TLS but without mTLS and it works. |
We could add an additional test for custom SSL only, but I think what that would catch is already covered by the mTLS test I wrote yesterday. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, after something minor in the samples
try { | ||
BufferedInputStream in = new BufferedInputStream(MtlsGreeterServer.class.getResourceAsStream(path)); | ||
ByteArrayOutputStream bao = new ByteArrayOutputStream(); | ||
for (int result = in.read(); result != -1; result = in.read()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is text, shouldn't it use a Reader instead? Random example https://www.baeldung.com/convert-input-stream-to-string
Also, this is missing close()
on the in
. I think they are Closable
so placing in try (...) {
should automatically close.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Server cert for localhost signed by rootCA in localhost-server.*, no password for private key | ||
Client cert for a client to connect in localhost-client.*, no password for private key | ||
|
||
Certs used by `MtlsGreeterServer`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For reference, should we include the commands for how the test certs were created?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -19,8 +19,8 @@ object Dependencies { | |||
// https://doc.akka.io//docs/akka/current/project/downstream-upgrade-strategy.html | |||
val akka = "2.7.0" | |||
val akkaBinary = "2.7" | |||
val akkaHttp = "10.5.0-M1" | |||
val akkaHttpBinary = "10.4" | |||
val akkaHttp = "10.5.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make sure the release notes includes this change
@patriknw @johanandren Context: Play gRPC stucks on |
I'm afraid we have no plans to backport any functionality added in 2.2 and later to the 2.1 branch |
Will release be possible if I will do the small (without docs and samples) backport itself? |
I tested locally and it looks as if we need only this piece of changes, nothing more Subject: [PATCH] Backport #1781
---
Index: runtime/src/main/scala/akka/grpc/internal/NettyClientUtils.scala
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/runtime/src/main/scala/akka/grpc/internal/NettyClientUtils.scala b/runtime/src/main/scala/akka/grpc/internal/NettyClientUtils.scala
--- a/runtime/src/main/scala/akka/grpc/internal/NettyClientUtils.scala (revision accf37ccc97205d588742ced4bcc7d1ed7499142)
+++ b/runtime/src/main/scala/akka/grpc/internal/NettyClientUtils.scala (revision 1943f6dc29418f3332203fa3143b959aa60fd512)
@@ -5,7 +5,6 @@
package akka.grpc.internal
import java.util.concurrent.TimeUnit
-
import javax.net.ssl.SSLContext
import akka.{ Done, NotUsed }
import akka.annotation.InternalApi
@@ -16,7 +15,17 @@
import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts
import io.grpc.netty.shaded.io.grpc.netty.NegotiationType
import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder
-import io.grpc.netty.shaded.io.netty.handler.ssl.{ SslContext, SslContextBuilder }
+import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig.{
+ Protocol,
+ SelectedListenerFailureBehavior,
+ SelectorFailureBehavior
+}
+import io.grpc.netty.shaded.io.netty.handler.ssl.{
+ ApplicationProtocolConfig,
+ ApplicationProtocolNames,
+ SslContext,
+ SslContextBuilder
+}
import scala.annotation.nowarn
import scala.concurrent.duration.FiniteDuration
@@ -172,23 +181,24 @@
*/
@InternalApi
private def createNettySslContext(javaSslContext: SSLContext): SslContext = {
- import io.grpc.netty.shaded.io.netty.handler.ssl.{
- ApplicationProtocolConfig,
- ClientAuth,
- IdentityCipherSuiteFilter,
- JdkSslContext
- }
+ import io.grpc.netty.shaded.io.netty.handler.ssl.{ ClientAuth, IdentityCipherSuiteFilter, JdkSslContext }
// See
// https://github.com/netty/netty/blob/4.1/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java#L229-L309
- new JdkSslContext(
+ val apn = new ApplicationProtocolConfig(
+ Protocol.ALPN,
+ SelectorFailureBehavior.NO_ADVERTISE,
+ SelectedListenerFailureBehavior.ACCEPT,
+ ApplicationProtocolNames.HTTP_2)
+ val context = new JdkSslContext(
javaSslContext,
/* boolean isClient */ true,
/* Iterable<String> ciphers */ null, // use JDK defaults (null is accepted as indicated in constructor Javadoc)
IdentityCipherSuiteFilter.INSTANCE,
- /* ApplicationProtocolConfig apn */ ApplicationProtocolConfig.DISABLED, // use JDK default (null would also be acceptable, DISABLED config will select the NONE protocol and thus the JdkDefaultApplicationProtocolNegotiator)
- ClientAuth.NONE, // server-only option, which is ignored as isClient=true (as indicated in constructor Javadoc)
+ /* ApplicationProtocolConfig apn */ apn,
+ ClientAuth.OPTIONAL, // server-only option, which is ignored as isClient=true (as indicated in constructor Javadoc)
/* String[] protocols */ null, // use JDK defaults (null is accepted as indicated in constructor Javadoc)
/* boolean startTls */ false)
+ context
}
/**
|
Includes fix for #1728