grpc-go icon indicating copy to clipboard operation
grpc-go copied to clipboard
Published 1 week ago verified publisher icon grpc

auto-set ALPN when using GetConfigForClient

Open howardjohn opened this issue 1 year ago • 3 comments

Use case(s) - what problem will this feature solve?

In grpc-go v67, the client will reject servers not advertising ALPN=h2.

Typically, gRPC will automatically set this on the tls.Config passed in on the serverside. However, when GetConfigForClient is used, it will not.

Proposed Solution

Make GetConfigForClient usage automatically set alpn=h2

Alternatives Considered

  • Change application to explicitly set ALPN
  • Deploy all clients with GRPC_ENFORCE_ALPN_ENABLED=false. This is not great since it will probably go away(?) and you don't always control the clients.

Additional Context

Previous issue, stale-closed: https://github.com/grpc/grpc-go/issues/5814. Likely not a priority since it didn't hurt most users until the client's started denying

Popular projects broken by this:

  • https://github.com/cert-manager/istio-csr/pull/422
  • https://github.com/siderolabs/talos/issues/9463

howardjohn avatar Oct 08 '24 15:10 howardjohn

@howardjohn could you clarify what did you expect and what did you see instead? We currently by default Enforce ALPN so clients and servers will now reject TLS connections that don't support ALPN. However, this can be disabled by setting the environment variable GRPC_ENFORCE_ALPN_ENABLED to false (case insensitive)

purnesh42H avatar Oct 09 '24 16:10 purnesh42H

When i setup a gRPC server with something like &tls.Config{}, and pass this to gRPC, it automatically adds NextProtos=[]string{h2}. This means that ALPN works and will not be rejected.

If I instead pass &tls.Config{GetConfigForClient: func() { ... }, the tls.Config will be used directly from the result of the function, and NOT get the NextProtos set, meaning there will be no ALPN, and clients will reject things.

A server can workaround this by manually setting Nextprotos on the resulting tls.config, of course, but its something many projects are not doing since they didn't need to prior to 0.67.

howardjohn avatar Oct 09 '24 16:10 howardjohn

@howardjohn you are correct. We need to do the same modifications to config returned by GetConfigForClient as well

purnesh42H avatar Oct 11 '24 06:10 purnesh42H

The fix is expected be released as part of grpc-go v1.69 since we've already cut the branch for 1.68.

arjan-bal avatar Oct 22 '24 17:10 arjan-bal