1

I am using NettyChannelBuilder in grpc client and NettyServerBuilder in grpc server.

I have created NettyServerBuilder with sslcontext with TLS1.3 and started the server as below

import io.grpc.ServerCredentials;
import io.grpc.TlsServerCredentials;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import io.grpc.util.AdvancedTlsX509TrustManager;
import io.grpc.Server;
import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.stub.StreamObserver;

private Server myServer;
CertificateData grpcCertificateData = CertificateData.SERVER_CERT;
try {
    KeyManager serverKeyManager = myCertificateHandlerService.getServerKeyManagers(grpcCertificateData.getServiceGroup())[0];
    LOG.info("Retrieved key manager: {}", serverKeyManager);
    X509TrustManager trustManager =
        (X509TrustManager) myCertificateHandlerService.getServerTrustManagers(grpcCertificateData.getServiceGroup())[0];
    X509Certificate[] acceptedIssuers = trustManager.getAcceptedIssuers();
    LOG.info("Retrieved CA certificates: {}", acceptedIssuers);
    SslContextBuilder builder = SslContextBuilder.forServer(serverKeyManager)
        .trustManager(trustManager)
        .clientAuth(ClientAuth.REQUIRE)
        .ciphers(CIPHER_SUITES_SUPPORTED)
        .protocols(TLS_VERSION_1_3); // Explicitly set TLSv1.3
    .sslProvider(SslProvider.JDK);
    NettyServerBuilder.forPort(PORT)
        .sslContext(GrpcSslContexts.configure(builder).build())
        .addService(new LoadReportingRpcService());
    myServer = serverBuilder.directExecutor().build();
    myServer.start();
} catch (Exception e) {
    LimitedLogger.logOrSuppressError(LOG, LOG_MESSAGE_DATA, "Failed to build SSL context {}", e);
}

Also I have created NettyChannelBuilder with sslContext with TLS1.3 and invoked rpc method in grpc server as below

import io.grpc.LoadBalancerRegistry;
import io.grpc.ManagedChannel;
import io.grpc.ManagedChannelBuilder;
import io.grpc.NameResolverRegistry;
import io.grpc.StatusRuntimeException;
import io.grpc.internal.DnsNameResolverProvider;
import io.grpc.internal.PickFirstLoadBalancerProvider;
import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.stub.StreamObserver;

String serviceGroup = CertificateData.CERT_CLIENT.getServiceGroup();
try {
    TrustManager[] caTrustManagers = myCertificateHandlerService.getServerTrustManagers(serviceGroup);
    KeyManager[] clientKeyManagers = myCertificateHandlerService.getClientKeyManagers(serviceGroup);
    if (caTrustManagers == null || clientKeyManagers == null) {
        LOG.error("NN Failed to retrieve PKI components. Server trust manager was {}, client key manager was {}, for service group {}",
            caTrustManagers,
            clientKeyManagers,
            serviceGroup);
    } else {
        LOG.error("NN Configure TLS1.3 client");
        X509TrustManager caTrustManager = (X509TrustManager) caTrustManagers[0];
        KeyManager keyManager = clientKeyManagers[0];
        SslContextBuilder sslContextBuilder = SslContextBuilder.forClient()
            .trustManager(caTrustManager)
            .keyManager(keyManager)
            .protocols(TLS_VERSION_1_3);
        .sslProvider(SslProvider.JDK)
            .ciphers(CIPHER_SUITES_SUPPORTED);
        ManagedChannelBuilder << ? > channelBuilder = NettyChannelBuilder.forAddress(target, GRPC_PORT);
        channelBuilder.directExecutor();
        LOG.error("NN tls enabled {}", isTlsEnabled());
        if (isTlsEnabled()) {
            LOG.error("NN tls enabled and start secure grpc client");
            ((NettyChannelBuilder) channelBuilder).sslContext(GrpcSslContexts.configure(sslContextBuilder).build())).useTransportSecurity();
    }
    foundChannel = channelBuilder.build();
    ReportingServiceGrpc.ReportingServiceStub stub = ReportingServiceGrpc.newStub(foundChannel);
    stub.invokeRpcMethod();
}
} catch (Exception e) {
    LOG.error("Failed to create ssl context for {}", serviceGroup, e);
}

I was using below TLS1.3 ciphers in both server and client

private static final Iterable < String > CIPHER_SUITES_SUPPORTED =
         Arrays.asList("TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256",
             "TLS_CHACHA20_POLY1305_SHA256");

But observed that TLS1.2 connection is established always from client to server communication. Here i have configured with TLS1.3 in sslcontext in both client and server and i am using java 11. It should establish TLS1.3 right?

is it a bug in GRPC? Otherwise please clarify me with the solution with what am i missing ?

Improve this question
1
  • Anyone pls check and reply for this query? Commented Jun 11 at 3:38
Related questions
3
Java gRPC - TLS - how to set up mutual TLS on the client side?
4
Reload Netty Server's SSL Context for gRPC
0
one grpc server for both unary and bidi stream with netty
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.