[grpc-io] GRPC netty establishing TLS1.2 always even if configured TLS1.3 in sslcontext in grpc client & server

[ganesh.umapathy ganesh.umapathy]

I am using NettyChannelBuilder in grpc client and NettyServerBuilder in 
grpc server.

I have created NettyServerBuilder with sslcontext with TLS1.3 and started 
the server as below
import io.grpc.ServerCredentials;
import io.grpc.TlsServerCredentials;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import io.grpc.util.AdvancedTlsX509TrustManager;
import io.grpc.Server;
import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.stub.StreamObserver;

        private Server myServer;
        CertificateData grpcCertificateData = CertificateData.SERVER_CERT;
        try {
            KeyManager serverKeyManager = 
myCertificateHandlerService.getServerKeyManagers(grpcCertificateData.getServiceGroup())[0];
            LOG.info("Retrieved key manager: {}", serverKeyManager);

            X509TrustManager trustManager =
                    (X509TrustManager) 
myCertificateHandlerService.getServerTrustManagers(grpcCertificateData.getServiceGroup())[0];
            X509Certificate[] acceptedIssuers = 
trustManager.getAcceptedIssuers();
            LOG.info("Retrieved CA certificates: {}", acceptedIssuers);

            SslContextBuilder builder = 
SslContextBuilder.forServer(serverKeyManager)
                    .trustManager(trustManager)
                    .clientAuth(ClientAuth.REQUIRE)
                    .ciphers(CIPHER_SUITES_SUPPORTED)
                    .protocols(TLS_VERSION_1_3);  // Explicitly set TLSv1.3
                    .sslProvider(SslProvider.JDK);

            NettyServerBuilder.forPort(PORT)
                        
.sslContext(GrpcSslContexts.configure(builder).build())
                        .addService(new LoadReportingRpcService());
myServer = serverBuilder.directExecutor().build();
            myServer.start();

        }
        catch (Exception e) {
            LimitedLogger.logOrSuppressError(LOG, LOG_MESSAGE_DATA, "Failed 
to build SSL context {}", e);
        }





Also I have created NettyChannelBuilder with sslContext with TLS1.3 and 
invoked rpc method in grpc server as below
 
 import io.grpc.LoadBalancerRegistry;
import io.grpc.ManagedChannel;
import io.grpc.ManagedChannelBuilder;
import io.grpc.NameResolverRegistry;
import io.grpc.StatusRuntimeException;
import io.grpc.internal.DnsNameResolverProvider;
import io.grpc.internal.PickFirstLoadBalancerProvider;
import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.stub.StreamObserver;


   String serviceGroup = CertificateData.CERT_CLIENT.getServiceGroup();
        try
        {
            TrustManager[] caTrustManagers = 
myCertificateHandlerService.getServerTrustManagers(serviceGroup);
            KeyManager[] clientKeyManagers = 
myCertificateHandlerService.getClientKeyManagers(serviceGroup);
            if (caTrustManagers == null || clientKeyManagers == null)
            {
                LOG.error("NN Failed to retrieve PKI components. Server 
trust manager was {}, client key manager was {}, for service group {}",
                        caTrustManagers,
                        clientKeyManagers,
                        serviceGroup);
            }
            else
            {
                LOG.error("NN Configure TLS1.3 client");
                X509TrustManager caTrustManager = (X509TrustManager) 
caTrustManagers[0];
                KeyManager keyManager = clientKeyManagers[0];
                SslContextBuilder sslContextBuilder = 
SslContextBuilder.forClient()
                        .trustManager(caTrustManager)
                        .keyManager(keyManager)
                        .protocols(TLS_VERSION_1_3);
                        .sslProvider(SslProvider.JDK)
                        .ciphers(CIPHER_SUITES_SUPPORTED);
ManagedChannelBuilder<?> channelBuilder = 
NettyChannelBuilder.forAddress(target, GRPC_PORT);
                channelBuilder.directExecutor();
                LOG.error("NN tls enabled {}", isTlsEnabled());
                if (isTlsEnabled())
                {
                   LOG.error("NN tls enabled and start secure grpc client");
                   ((NettyChannelBuilder) 
channelBuilder).sslContext(GrpcSslContexts.configure(sslContextBuilder).build())).useTransportSecurity();
                }
    foundChannel = channelBuilder.build();
                ReportingServiceGrpc.ReportingServiceStub stub = 
ReportingServiceGrpc.newStub(foundChannel);
stub.invokeRpcMethod();
            }
        }
        catch (Exception e)
        {
            LOG.error("Failed to create ssl context for {}", serviceGroup, 
e);
        }

 
I


I was using below TLS1.3 ciphers in both server and client
 private static final Iterable<String> CIPHER_SUITES_SUPPORTED =
            Arrays.asList("TLS_AES_256_GCM_SHA384", 
"TLS_AES_128_GCM_SHA256",
                    "TLS_CHACHA20_POLY1305_SHA256");


But observed that TLS1.2 connection is established always from client to 
server communication. Here i have configured with TLS1.3 in sslcontext in 
both client and server and i am using java 11. It should establish TLS1.3 
right?

is it a bug in GRPC?   Otherwise please clarify me with the solution with 
what am i missing ?

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/grpc-io/8161a0e2-da19-43f8-b744-b97e574324f1n%40googlegroups.com.