Can anyone pls check and reply on this?
On Saturday, 7 June 2025 at 19:41:11 UTC+5:30 ganesh.umapathy
ganesh.umapathy wrote:
> I am using NettyChannelBuilder in grpc client and NettyServerBuilder in
> grpc server.
>
> I have created NettyServerBuilder with sslcontext with TLS1.3 and started
> the server as below
> import io.grpc.ServerCredentials;
> import io.grpc.TlsServerCredentials;
> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
> import io.grpc.util.AdvancedTlsX509TrustManager;
> import io.grpc.Server;
> import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
> import io.grpc.stub.StreamObserver;
>
> private Server myServer;
> CertificateData grpcCertificateData = CertificateData.SERVER_CERT;
> try {
> KeyManager serverKeyManager =
> myCertificateHandlerService.getServerKeyManagers(grpcCertificateData.getServiceGroup())[0];
> LOG.info("Retrieved key manager: {}", serverKeyManager);
>
> X509TrustManager trustManager =
> (X509TrustManager)
> myCertificateHandlerService.getServerTrustManagers(grpcCertificateData.getServiceGroup())[0];
> X509Certificate[] acceptedIssuers =
> trustManager.getAcceptedIssuers();
> LOG.info("Retrieved CA certificates: {}", acceptedIssuers);
>
> SslContextBuilder builder =
> SslContextBuilder.forServer(serverKeyManager)
> .trustManager(trustManager)
> .clientAuth(ClientAuth.REQUIRE)
> .ciphers(CIPHER_SUITES_SUPPORTED)
> .protocols(TLS_VERSION_1_3); // Explicitly set TLSv1.3
> .sslProvider(SslProvider.JDK);
>
> NettyServerBuilder.forPort(PORT)
>
> .sslContext(GrpcSslContexts.configure(builder).build())
> .addService(new LoadReportingRpcService());
> myServer = serverBuilder.directExecutor().build();
> myServer.start();
>
> }
> catch (Exception e) {
> LimitedLogger.logOrSuppressError(LOG, LOG_MESSAGE_DATA,
> "Failed to build SSL context {}", e);
> }
>
>
>
>
>
> Also I have created NettyChannelBuilder with sslContext with TLS1.3 and
> invoked rpc method in grpc server as below
>
> import io.grpc.LoadBalancerRegistry;
> import io.grpc.ManagedChannel;
> import io.grpc.ManagedChannelBuilder;
> import io.grpc.NameResolverRegistry;
> import io.grpc.StatusRuntimeException;
> import io.grpc.internal.DnsNameResolverProvider;
> import io.grpc.internal.PickFirstLoadBalancerProvider;
> import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
> import io.grpc.stub.StreamObserver;
>
>
> String serviceGroup = CertificateData.CERT_CLIENT.getServiceGroup();
> try
> {
> TrustManager[] caTrustManagers =
> myCertificateHandlerService.getServerTrustManagers(serviceGroup);
> KeyManager[] clientKeyManagers =
> myCertificateHandlerService.getClientKeyManagers(serviceGroup);
> if (caTrustManagers == null || clientKeyManagers == null)
> {
> LOG.error("NN Failed to retrieve PKI components. Server
> trust manager was {}, client key manager was {}, for service group {}",
> caTrustManagers,
> clientKeyManagers,
> serviceGroup);
> }
> else
> {
> LOG.error("NN Configure TLS1.3 client");
> X509TrustManager caTrustManager = (X509TrustManager)
> caTrustManagers[0];
> KeyManager keyManager = clientKeyManagers[0];
> SslContextBuilder sslContextBuilder =
> SslContextBuilder.forClient()
> .trustManager(caTrustManager)
> .keyManager(keyManager)
> .protocols(TLS_VERSION_1_3);
> .sslProvider(SslProvider.JDK)
> .ciphers(CIPHER_SUITES_SUPPORTED);
> ManagedChannelBuilder<?> channelBuilder =
> NettyChannelBuilder.forAddress(target, GRPC_PORT);
> channelBuilder.directExecutor();
> LOG.error("NN tls enabled {}", isTlsEnabled());
> if (isTlsEnabled())
> {
> LOG.error("NN tls enabled and start secure grpc
> client");
> ((NettyChannelBuilder)
> channelBuilder).sslContext(GrpcSslContexts.configure(sslContextBuilder).build())).useTransportSecurity();
> }
> foundChannel = channelBuilder.build();
> ReportingServiceGrpc.ReportingServiceStub stub =
> ReportingServiceGrpc.newStub(foundChannel);
> stub.invokeRpcMethod();
> }
> }
> catch (Exception e)
> {
> LOG.error("Failed to create ssl context for {}", serviceGroup,
> e);
> }
>
>
> I
>
>
> I was using below TLS1.3 ciphers in both server and client
> private static final Iterable<String> CIPHER_SUITES_SUPPORTED =
> Arrays.asList("TLS_AES_256_GCM_SHA384",
> "TLS_AES_128_GCM_SHA256",
> "TLS_CHACHA20_POLY1305_SHA256");
>
>
> But observed that TLS1.2 connection is established always from client to
> server communication. Here i have configured with TLS1.3 in sslcontext in
> both client and server and i am using java 11. It should establish TLS1.3
> right?
>
> is it a bug in GRPC? Otherwise please clarify me with the solution with
> what am i missing ?
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/grpc-io/61027cfc-b377-4061-979c-ef4dffbb2dacn%40googlegroups.com.
