fix: expose ALPN in TLS handshake #422
Conversation
cert-manager-prow
bot
added
the
dco-signoff: no
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @howardjohn. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
cert-manager-prow
bot
added
needs-ok-to-test
cert-manager-prow
bot
added
dco-signoff: yes
|
cc @inteon |
|
/ok-to-test |
cert-manager-prow
bot
added
ok-to-test
and removed
needs-ok-to-test
|
Hiya! Thanks for contributing this fix. Looks like the golangci-lint check is failing. Specifically its complaining about the indentation now you have added the comment block, running Certificates: []tls.Certificate{tlsCert},
// Advertise ALPN, required in modern gRPC versions
// Typically gRPC sets this for us, but since this tls.Config ultimately gets returned in GetConfigForClient it doesn't.
- NextProtos: []string{"h2"},
- ClientAuth: tls.VerifyClientCertIfGiven,
- ClientCAs: peerCertVerifier.GetGeneralCertPool(),
+ NextProtos: []string{"h2"},
+ ClientAuth: tls.VerifyClientCertIfGiven,
+ ClientCAs: peerCertVerifier.GetGeneralCertPool(),
VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
err := peerCertVerifier.VerifyPeerCert(rawCerts, verifiedChains)
if err != nil { |
New versions of gRPC-go are enforcing the `h2` ALPN to be presented during the TLS handshake. See https://pkg.go.dev/google.golang.org/grpc/internal/envconfig#pkg-variables `GRPC_ENFORCE_ALPN_ENABLED`. The TLS server here isn't automatically getting this set due to usage of GetConfigForClient. This properly sets it. Without this, istio-csr will be incompatible with Istio 1.24, which upgrades the gRPC version. Note this can be worked around by setting `GRPC_ENFORCE_ALPN_ENABLED=false` on the proxy container, which Istio is able to do -- so there is an escape hatch for users. The Istio logs look like `"transport: authentication handshake failed: credentials: cannot check peer: missing selected ALPN property"` Signed-off-by: John Howard <john.howard@solo.io>
There was a problem hiding this comment.
Thank you for the bug report and fix.
Could you add a tests/ modify our tests to make sure GRPC_ENFORCE_ALPN_ENABLED now works & will keep working in the future?
Also, do you know where in code this is normally auto-set when we are not using GetConfigForClient?
New versions of gRPC-go are enforcing the
h2ALPN to be presented during the TLS handshake. Seehttps://pkg.go.dev/google.golang.org/grpc/internal/envconfig#pkg-variables
GRPC_ENFORCE_ALPN_ENABLED. The TLS server here isn't automatically getting this set due to usage of GetConfigForClient.This properly sets it.
Without this, istio-csr will be incompatible with Istio 1.24, which upgrades the gRPC version. Note this can be worked around by setting
GRPC_ENFORCE_ALPN_ENABLED=falseon the proxy container, which Istio is able to do -- so there is an escape hatch for users.The Istio logs look like
"transport: authentication handshake failed: credentials: cannot check peer: missing selected ALPN property"