Can anyone pls check this and help us?
On Tuesday, 10 June 2025 at 09:58:43 UTC+5:30 ganesh.umapathy
ganesh.umapathy wrote:
> Can anyone pls check and reply on this?
>
> On Saturday, 7 June 2025 at 19:41:11 UTC+5:30 ganesh.umapathy
> ganesh.umapathy wrote:
>
>> I am using NettyChannelBuilder in grpc client and NettyServerBuilder in
>> grpc server.
>>
>> I have created NettyServerBuilder with sslcontext with TLS1.3 and started
>> the server as below
>> import io.grpc.ServerCredentials;
>> import io.grpc.TlsServerCredentials;
>> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
>> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
>> import io.grpc.util.AdvancedTlsX509TrustManager;
>> import io.grpc.Server;
>> import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
>> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
>> import io.grpc.stub.StreamObserver;
>>
>> private Server myServer;
>> CertificateData grpcCertificateData = CertificateData.SERVER_CERT;
>> try {
>> KeyManager serverKeyManager =
>> myCertificateHandlerService.getServerKeyManagers(grpcCertificateData.getServiceGroup())[0];
>> LOG.info("Retrieved key manager: {}", serverKeyManager);
>>
>> X509TrustManager trustManager =
>> (X509TrustManager)
>> myCertificateHandlerService.getServerTrustManagers(grpcCertificateData.getServiceGroup())[0];
>> X509Certificate[] acceptedIssuers =
>> trustManager.getAcceptedIssuers();
>> LOG.info("Retrieved CA certificates: {}", acceptedIssuers);
>>
>> SslContextBuilder builder =
>> SslContextBuilder.forServer(serverKeyManager)
>> .trustManager(trustManager)
>> .clientAuth(ClientAuth.REQUIRE)
>> .ciphers(CIPHER_SUITES_SUPPORTED)
>> .protocols(TLS_VERSION_1_3); // Explicitly set
>> TLSv1.3
>> .sslProvider(SslProvider.JDK);
>>
>> NettyServerBuilder.forPort(PORT)
>>
>> .sslContext(GrpcSslContexts.configure(builder).build())
>> .addService(new LoadReportingRpcService());
>> myServer = serverBuilder.directExecutor().build();
>> myServer.start();
>>
>> }
>> catch (Exception e) {
>> LimitedLogger.logOrSuppressError(LOG, LOG_MESSAGE_DATA,
>> "Failed to build SSL context {}", e);
>> }
>>
>>
>>
>>
>>
>> Also I have created NettyChannelBuilder with sslContext with TLS1.3 and
>> invoked rpc method in grpc server as below
>>
>> import io.grpc.LoadBalancerRegistry;
>> import io.grpc.ManagedChannel;
>> import io.grpc.ManagedChannelBuilder;
>> import io.grpc.NameResolverRegistry;
>> import io.grpc.StatusRuntimeException;
>> import io.grpc.internal.DnsNameResolverProvider;
>> import io.grpc.internal.PickFirstLoadBalancerProvider;
>> import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
>> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
>> import io.grpc.stub.StreamObserver;
>>
>>
>> String serviceGroup = CertificateData.CERT_CLIENT.getServiceGroup();
>> try
>> {
>> TrustManager[] caTrustManagers =
>> myCertificateHandlerService.getServerTrustManagers(serviceGroup);
>> KeyManager[] clientKeyManagers =
>> myCertificateHandlerService.getClientKeyManagers(serviceGroup);
>> if (caTrustManagers == null || clientKeyManagers == null)
>> {
>> LOG.error("NN Failed to retrieve PKI components. Server
>> trust manager was {}, client key manager was {}, for service group {}",
>> caTrustManagers,
>> clientKeyManagers,
>> serviceGroup);
>> }
>> else
>> {
>> LOG.error("NN Configure TLS1.3 client");
>> X509TrustManager caTrustManager = (X509TrustManager)
>> caTrustManagers[0];
>> KeyManager keyManager = clientKeyManagers[0];
>> SslContextBuilder sslContextBuilder =
>> SslContextBuilder.forClient()
>> .trustManager(caTrustManager)
>> .keyManager(keyManager)
>> .protocols(TLS_VERSION_1_3);
>> .sslProvider(SslProvider.JDK)
>> .ciphers(CIPHER_SUITES_SUPPORTED);
>> ManagedChannelBuilder<?> channelBuilder =
>> NettyChannelBuilder.forAddress(target, GRPC_PORT);
>> channelBuilder.directExecutor();
>> LOG.error("NN tls enabled {}", isTlsEnabled());
>> if (isTlsEnabled())
>> {
>> LOG.error("NN tls enabled and start secure grpc
>> client");
>> ((NettyChannelBuilder)
>> channelBuilder).sslContext(GrpcSslContexts.configure(sslContextBuilder).build())).useTransportSecurity();
>> }
>> foundChannel = channelBuilder.build();
>> ReportingServiceGrpc.ReportingServiceStub stub =
>> ReportingServiceGrpc.newStub(foundChannel);
>> stub.invokeRpcMethod();
>> }
>> }
>> catch (Exception e)
>> {
>> LOG.error("Failed to create ssl context for {}",
>> serviceGroup, e);
>> }
>>
>>
>> I
>>
>>
>> I was using below TLS1.3 ciphers in both server and client
>> private static final Iterable<String> CIPHER_SUITES_SUPPORTED =
>> Arrays.asList("TLS_AES_256_GCM_SHA384",
>> "TLS_AES_128_GCM_SHA256",
>> "TLS_CHACHA20_POLY1305_SHA256");
>>
>>
>> But observed that TLS1.2 connection is established always from client to
>> server communication. Here i have configured with TLS1.3 in sslcontext in
>> both client and server and i am using java 11. It should establish TLS1.3
>> right?
>>
>> is it a bug in GRPC? Otherwise please clarify me with the solution with
>> what am i missing ?
>
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/grpc-io/ecacc52d-121a-4a48-b6e1-dbec5c1cc79bn%40googlegroups.com.
