fix: mTLS server and client setup and docs #1781
Conversation
plugin-tester-scala/src/main/scala/example/myapp/helloworld/MtlsGreeterServer.scala
Outdated
Show resolved
Hide resolved
Co-authored-by: Patrik Nordwall <patrik.nordwall@gmail.com>
|
Caveat: not sure the added SSL context setup doesn't break all kinds of things when not doing mTLS, hoping CI will tell me |
johanandren
changed the title
johanandren
changed the title
|
Some more testing/digging, the client SSLContext translation only happens when a custom SSLContext is defined, so regular use without that is completely unaffected by this, and I think all such customisation was broken based on what @patriknw noticed when trying to set up a custom context to accept a self-signed cert, which then worked with this patch. So: ready for final review/merge |
|
I'll add a test covering this as well, so we notice if we break TLS setup again |
I tested this with TLS but without mTLS and it works. |
|
We could add an additional test for custom SSL only, but I think what that would catch is already covered by the mTLS test I wrote yesterday. |
| try { | ||
| BufferedInputStream in = new BufferedInputStream(MtlsGreeterServer.class.getResourceAsStream(path)); | ||
| ByteArrayOutputStream bao = new ByteArrayOutputStream(); | ||
| for (int result = in.read(); result != -1; result = in.read()) { |
There was a problem hiding this comment.
Since this is text, shouldn't it use a Reader instead? Random example https://www.baeldung.com/convert-input-stream-to-string
Also, this is missing close() on the in. I think they are Closable so placing in try (...) { should automatically close.
| Server cert for localhost signed by rootCA in localhost-server.*, no password for private key | ||
| Client cert for a client to connect in localhost-client.*, no password for private key | ||
|
|
||
| Certs used by `MtlsGreeterServer`. |
There was a problem hiding this comment.
For reference, should we include the commands for how the test certs were created?
| @@ -19,8 +19,8 @@ object Dependencies { | |||
| // https://doc.akka.io//docs/akka/current/project/downstream-upgrade-strategy.html | |||
| val akka = "2.7.0" | |||
| val akkaBinary = "2.7" | |||
| val akkaHttp = "10.5.0-M1" | |||
| val akkaHttpBinary = "10.4" | |||
| val akkaHttp = "10.5.0" | |||
There was a problem hiding this comment.
make sure the release notes includes this change
|
@patriknw @johanandren Context: Play gRPC stucks on |
|
I'm afraid we have no plans to backport any functionality added in 2.2 and later to the 2.1 branch |
Will release be possible if I will do the small (without docs and samples) backport itself? |
|
I tested locally and it looks as if we need only this piece of changes, nothing more Subject: [PATCH] Backport #1781
---
Index: runtime/src/main/scala/akka/grpc/internal/NettyClientUtils.scala
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/runtime/src/main/scala/akka/grpc/internal/NettyClientUtils.scala b/runtime/src/main/scala/akka/grpc/internal/NettyClientUtils.scala
--- a/runtime/src/main/scala/akka/grpc/internal/NettyClientUtils.scala (revision accf37ccc97205d588742ced4bcc7d1ed7499142)
+++ b/runtime/src/main/scala/akka/grpc/internal/NettyClientUtils.scala (revision 1943f6dc29418f3332203fa3143b959aa60fd512)
@@ -5,7 +5,6 @@
package akka.grpc.internal
import java.util.concurrent.TimeUnit
-
import javax.net.ssl.SSLContext
import akka.{ Done, NotUsed }
import akka.annotation.InternalApi
@@ -16,7 +15,17 @@
import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts
import io.grpc.netty.shaded.io.grpc.netty.NegotiationType
import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder
-import io.grpc.netty.shaded.io.netty.handler.ssl.{ SslContext, SslContextBuilder }
+import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig.{
+ Protocol,
+ SelectedListenerFailureBehavior,
+ SelectorFailureBehavior
+}
+import io.grpc.netty.shaded.io.netty.handler.ssl.{
+ ApplicationProtocolConfig,
+ ApplicationProtocolNames,
+ SslContext,
+ SslContextBuilder
+}
import scala.annotation.nowarn
import scala.concurrent.duration.FiniteDuration
@@ -172,23 +181,24 @@
*/
@InternalApi
private def createNettySslContext(javaSslContext: SSLContext): SslContext = {
- import io.grpc.netty.shaded.io.netty.handler.ssl.{
- ApplicationProtocolConfig,
- ClientAuth,
- IdentityCipherSuiteFilter,
- JdkSslContext
- }
+ import io.grpc.netty.shaded.io.netty.handler.ssl.{ ClientAuth, IdentityCipherSuiteFilter, JdkSslContext }
// See
// https://github.com/netty/netty/blob/4.1/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java#L229-L309
- new JdkSslContext(
+ val apn = new ApplicationProtocolConfig(
+ Protocol.ALPN,
+ SelectorFailureBehavior.NO_ADVERTISE,
+ SelectedListenerFailureBehavior.ACCEPT,
+ ApplicationProtocolNames.HTTP_2)
+ val context = new JdkSslContext(
javaSslContext,
/* boolean isClient */ true,
/* Iterable<String> ciphers */ null, // use JDK defaults (null is accepted as indicated in constructor Javadoc)
IdentityCipherSuiteFilter.INSTANCE,
- /* ApplicationProtocolConfig apn */ ApplicationProtocolConfig.DISABLED, // use JDK default (null would also be acceptable, DISABLED config will select the NONE protocol and thus the JdkDefaultApplicationProtocolNegotiator)
- ClientAuth.NONE, // server-only option, which is ignored as isClient=true (as indicated in constructor Javadoc)
+ /* ApplicationProtocolConfig apn */ apn,
+ ClientAuth.OPTIONAL, // server-only option, which is ignored as isClient=true (as indicated in constructor Javadoc)
/* String[] protocols */ null, // use JDK defaults (null is accepted as indicated in constructor Javadoc)
/* boolean startTls */ false)
+ context
}
/**
|
Includes fix for #1728