fix: set nextProto to h2 in tlsConfig

ppzqh · Jan 22, 2024 · b73ec9e · b73ec9e
1 parent bfe3296
commit b73ec9e
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 3 deletions.
diff --git a/client/option_advanced.go b/client/option_advanced.go
@@ -33,6 +33,7 @@ import (
 	"github.com/cloudwego/kitex/pkg/proxy"
 	"github.com/cloudwego/kitex/pkg/remote"
 	"github.com/cloudwego/kitex/pkg/remote/trans/netpoll"
+	"github.com/cloudwego/kitex/pkg/remote/trans/nphttp2/grpc"
 	"github.com/cloudwego/kitex/pkg/retry"
 	"github.com/cloudwego/kitex/pkg/rpcinfo"
 	"github.com/cloudwego/kitex/pkg/utils"
@@ -238,6 +239,6 @@ func WithBoundHandler(h remote.BoundHandler) Option {
 func WithGRPCTLSConfig(tlsConfig *tls.Config) Option {
 	return Option{F: func(o *client.Options, di *utils.Slice) {
 		di.Push("WithGRPCTLSConfig")
-		o.GRPCConnectOpts.TLSConfig = tlsConfig
+		o.GRPCConnectOpts.TLSConfig = grpc.TLSConfig(tlsConfig)
 	}}
 }
diff --git a/pkg/remote/trans/nphttp2/conn_pool.go b/pkg/remote/trans/nphttp2/conn_pool.go
@@ -109,7 +109,11 @@ func (p *connPool) newTransport(ctx context.Context, dialer remote.Dialer, netwo
 		return nil, err
 	}
 	if opts.TLSConfig != nil {
-		conn = tls.Client(conn, opts.TLSConfig)
+		tlsConn, err := newTLSConn(conn, opts.TLSConfig)
+		if err != nil {
+			return nil, err
+		}
+		conn = tlsConn
 	}
 	return grpc.NewClientTransport(
 		ctx,
@@ -222,3 +226,12 @@ func (p *connPool) Close() error {
 	})
 	return nil
 }
+
+// newTLSConn constructs a client-side TLS connection and performs handshake.
+func newTLSConn(conn net.Conn, tlsCfg *tls.Config) (net.Conn, error) {
+	tlsConn := tls.Client(conn, tlsCfg)
+	if err := tlsConn.Handshake(); err != nil {
+		return nil, err
+	}
+	return tlsConn, nil
+}
diff --git a/pkg/remote/trans/nphttp2/grpc/http2_client.go b/pkg/remote/trans/nphttp2/grpc/http2_client.go
@@ -296,9 +296,10 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 	hfLen := 7 // :method, :scheme, :path, :authority, content-type, user-agent, te
 	headerFields := make([]hpack.HeaderField, 0, hfLen)
 	headerFields = append(headerFields, hpack.HeaderField{Name: ":method", Value: "POST"})
-	headerFields = append(headerFields, hpack.HeaderField{Name: ":scheme", Value: "http"})
+	headerFields = append(headerFields, hpack.HeaderField{Name: ":scheme", Value: "https"})
 	headerFields = append(headerFields, hpack.HeaderField{Name: ":path", Value: callHdr.Method})
 	headerFields = append(headerFields, hpack.HeaderField{Name: ":authority", Value: callHdr.Host})
+	//headerFields = append(headerFields, hpack.HeaderField{Name: "host", Value: callHdr.Host})
 	headerFields = append(headerFields, hpack.HeaderField{Name: "content-type", Value: contentType(callHdr.ContentSubtype)})
 	headerFields = append(headerFields, hpack.HeaderField{Name: "user-agent", Value: defaultUserAgent})
 	headerFields = append(headerFields, hpack.HeaderField{Name: "te", Value: "trailers"})

diff --git a/pkg/remote/trans/nphttp2/grpc/transport.go b/pkg/remote/trans/nphttp2/grpc/transport.go
@@ -797,3 +797,26 @@ func ContextErr(err error) error {
 	}
 	return status.Errorf(codes.Internal, "Unexpected error from context packet: %v", err)
 }
+
+// TLSConfig checks and supplement the tls config provided by user.
+func TLSConfig(tlsConfig *tls.Config) *tls.Config {
+	cfg := tlsConfig.Clone()
+	// When multiple application protocols are supported on a single server-side port number,
+	// the client and the server need to negotiate an application protocol for use with each connection.
+	// For gRPC, "h2" should be appended to "application_layer_protocol_negotiation" field.
+	cfg.NextProtos = tlsAppendH2ToALPNProtocols(cfg.NextProtos)
+	return cfg
+}
+
+const alpnProtoStrH2 = "h2"
+
+func tlsAppendH2ToALPNProtocols(ps []string) []string {
+	for _, p := range ps {
+		if p == alpnProtoStrH2 {
+			return ps
+		}
+	}
+	ret := make([]string, 0, len(ps)+1)
+	ret = append(ret, ps...)
+	return append(ret, alpnProtoStrH2)
+}