This is an automated email from the ASF dual-hosted git repository.
He-Pin pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pekko-grpc.git
The following commit(s) were added to refs/heads/main by this push:
new 8dc6715d fix: clean up Netty SSL context creation (#707)
8dc6715d is described below
commit 8dc6715de367e6209c333760e6c526e1c9cd68bd
Author: He-Pin(kerr) <[email protected]>
AuthorDate: Sun May 24 21:57:58 2026 +0800
fix: clean up Netty SSL context creation (#707)
Motivation:
Port akka/akka-grpc@b0ff79ecc4382b25bad4e041df6cdbaa3b305343, which is now
Apache licensed, to remove reflective mutation of Netty JdkSslContext internals.
Modification:
Construct JdkSslContext directly from the provided Java SSLContext and
preserve HTTP/2 ciphers plus ALPN h2 for the current grpc-netty-shaded runtime.
Result:
Java SSLContext-backed clients avoid private-field reflection while keeping
TLS/HTTP2 negotiation working.
References:
https://github.com/akka/akka-grpc/commit/b0ff79ecc4382b25bad4e041df6cdbaa3b305343
https://github.com/akka/akka-grpc/pull/1649
---
.../pekko/grpc/internal/NettyClientUtils.scala | 35 ++++++++++++----------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git
a/runtime/src/main/scala/org/apache/pekko/grpc/internal/NettyClientUtils.scala
b/runtime/src/main/scala/org/apache/pekko/grpc/internal/NettyClientUtils.scala
index 9cd44fe6..83afe282 100644
---
a/runtime/src/main/scala/org/apache/pekko/grpc/internal/NettyClientUtils.scala
+++
b/runtime/src/main/scala/org/apache/pekko/grpc/internal/NettyClientUtils.scala
@@ -183,22 +183,25 @@ object NettyClientUtils {
*/
@InternalApi
private def createNettySslContext(javaSslContext: SSLContext): SslContext = {
- import io.grpc.netty.shaded.io.netty.handler.ssl.{ JdkSslContext,
SslProvider }
- import java.lang.reflect.Field
-
- // This is a hack for situations where the SSLContext is given.
- // This approach forces using SslProvider.JDK.
-
- // Create a Netty JdkSslContext object with all the correct ciphers,
protocol settings, etc initialized.
- val nettySslContext: JdkSslContext =
- GrpcSslContexts.configure(GrpcSslContexts.forClient,
SslProvider.JDK).build.asInstanceOf[JdkSslContext]
-
- // Patch the SSLContext value inside the JdkSslContext object
- val nettySslContextField: Field =
classOf[JdkSslContext].getDeclaredField("sslContext")
- nettySslContextField.setAccessible(true)
- nettySslContextField.set(nettySslContext, javaSslContext)
-
- nettySslContext
+ import io.grpc.netty.shaded.io.netty.handler.ssl.{
ApplicationProtocolConfig, ClientAuth, JdkSslContext }
+ import io.grpc.netty.shaded.io.netty.handler.codec.http2.Http2SecurityUtil
+ import io.grpc.netty.shaded.io.netty.handler.ssl.SupportedCipherSuiteFilter
+ // See
+ //
https://github.com/netty/netty/blob/4.1/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java#L229-L309
+ new JdkSslContext(
+ javaSslContext,
+ /* boolean isClient */ true,
+ // Keep HTTP/2 ciphers and ALPN so Java SSLContext-backed clients
negotiate h2.
+ /* Iterable<String> ciphers */ Http2SecurityUtil.CIPHERS,
+ SupportedCipherSuiteFilter.INSTANCE,
+ /* ApplicationProtocolConfig apn */ new ApplicationProtocolConfig(
+ ApplicationProtocolConfig.Protocol.ALPN,
+ ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
+ ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
+ "h2"),
+ ClientAuth.NONE, // server-only option, which is ignored as
isClient=true (as indicated in constructor Javadoc)
+ /* String[] protocols */ null, // use JDK defaults (null is accepted as
indicated in constructor Javadoc)
+ /* boolean startTls */ false)
}
/**
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
