Skip to content

netty: only add gRPC negotiator once SSL is established (1.9 backport) #4033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 1, 2018
Merged

netty: only add gRPC negotiator once SSL is established (1.9 backport) #4033

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bd9b66f
netty: only add gRPC negotiator once SSL is established
carl-mastrangelo Jan 25, 2018
e7469d0
netty: Add test to verify error for TLS failure
ejona86 Feb 1, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -609,7 +609,7 @@ private static class BufferUntilTlsNegotiatedHandler extends AbstractBufferingHa

BufferUntilTlsNegotiatedHandler(
ChannelHandler bootstrapHandler, GrpcHttp2ConnectionHandler grpcHandler) {
super(bootstrapHandler, grpcHandler);
super(bootstrapHandler);
this.grpcHandler = grpcHandler;
}

Expand All @@ -628,6 +628,10 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
// Successfully negotiated the protocol.
logSslEngineDetails(Level.FINER, ctx, "TLS negotiation succeeded.", null);

// Wait until negotiation is complete to add gRPC. If added too early, HTTP/2 writes
// will fail before we see the userEvent, and the channel is closed down prematurely.
ctx.pipeline().addBefore(ctx.name(), null, grpcHandler);

// Successfully negotiated the protocol.
// Notify about completion and pass down SSLSession in attributes.
grpcHandler.handleProtocolNegotiationCompleted(
Expand Down
43 changes: 41 additions & 2 deletions netty/src/test/java/io/grpc/netty/NettyClientTransportTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package io.grpc.netty;

import static com.google.common.base.Charsets.UTF_8;
import static com.google.common.truth.Truth.assertThat;
import static io.grpc.internal.GrpcUtil.DEFAULT_MAX_MESSAGE_SIZE;
import static io.grpc.internal.GrpcUtil.DEFAULT_SERVER_KEEPALIVE_TIMEOUT_NANOS;
import static io.grpc.internal.GrpcUtil.DEFAULT_SERVER_KEEPALIVE_TIME_NANOS;
Expand Down Expand Up @@ -67,6 +68,7 @@
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.channel.socket.nio.NioSocketChannel;
import io.netty.handler.codec.http2.StreamBufferingEncoder;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import io.netty.util.AsciiString;
Expand All @@ -83,6 +85,7 @@
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import javax.net.ssl.SSLHandshakeException;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
Expand Down Expand Up @@ -269,6 +272,42 @@ public void run() {
}
}

@Test
public void tlsNegotiationFailurePropagatesToStatus() throws Exception {
File serverCert = TestUtils.loadCert("server1.pem");
File serverKey = TestUtils.loadCert("server1.key");
// Don't trust ca.pem, so that client auth fails
SslContext sslContext = GrpcSslContexts.forServer(serverCert, serverKey)
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
.clientAuth(ClientAuth.REQUIRE)
.build();
negotiator = ProtocolNegotiators.serverTls(sslContext);
startServer();

File caCert = TestUtils.loadCert("ca.pem");
File clientCert = TestUtils.loadCert("client.pem");
File clientKey = TestUtils.loadCert("client.key");
SslContext clientContext = GrpcSslContexts.forClient()
.trustManager(caCert)
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE)
.keyManager(clientCert, clientKey)
.build();
ProtocolNegotiator negotiator = ProtocolNegotiators.tls(clientContext, authority);
final NettyClientTransport transport = newTransport(negotiator);
callMeMaybe(transport.start(clientTransportListener));

Rpc rpc = new Rpc(transport).halfClose();
try {
rpc.waitForClose();
fail("expected exception");
} catch (ExecutionException ex) {
StatusException sre = (StatusException) ex.getCause();
assertEquals(Status.Code.UNAVAILABLE, sre.getStatus().getCode());
assertThat(sre.getCause()).isInstanceOf(SSLHandshakeException.class);
assertThat(sre.getCause().getMessage()).contains("SSLV3_ALERT_HANDSHAKE_FAILURE");
}
}

@Test
public void channelExceptionDuringNegotiatonPropagatesToStatus() throws Exception {
negotiator = ProtocolNegotiators.serverPlaintext();
Expand Down Expand Up @@ -521,8 +560,8 @@ private Throwable getRootCause(Throwable t) {
}

private ProtocolNegotiator newNegotiator() throws IOException {
File clientCert = TestUtils.loadCert("ca.pem");
SslContext clientContext = GrpcSslContexts.forClient().trustManager(clientCert)
File caCert = TestUtils.loadCert("ca.pem");
SslContext clientContext = GrpcSslContexts.forClient().trustManager(caCert)
.ciphers(TestUtils.preferredTestCiphers(), SupportedCipherSuiteFilter.INSTANCE).build();
return ProtocolNegotiators.tls(clientContext, authority);
}
Expand Down