Skip to content

credentials: Apply defaults to TLS configs provided through GetConfigForClient#7754

Merged
arjan-bal merged 6 commits intogrpc:masterfrom
arjan-bal:defaults-in-get-config-for-client
Oct 22, 2024
Merged

credentials: Apply defaults to TLS configs provided through GetConfigForClient#7754
arjan-bal merged 6 commits intogrpc:masterfrom
arjan-bal:defaults-in-get-config-for-client

Conversation

@arjan-bal
Copy link
Copy Markdown
Contributor

@arjan-bal arjan-bal commented Oct 17, 2024
edited
Loading

Fixes: #7709

TLS server configs provided at TLS handshake time through GetConfigForClient were not modified by grpc-go to ensure secure defaults and a valid ALPN configuration. This PR applies the same handling applied to static TLS configs to the configs obtained by GetConfigForClient.

RELEASE NOTES:

  • credentials: TLS credentials created via NewTLS that use tls.Config.GetConfigForClient will now have necessary gRPC-Go defaults, namely CipherSuites, supported TLS versions and ALPN configured automatically. This handling was already present for configs not using the GetConfigForClient function.

@arjan-bal arjan-bal added the Type: Feature New features or improvements in behavior label Oct 17, 2024
@arjan-bal arjan-bal added this to the 1.69 Release milestone Oct 17, 2024
@arjan-bal arjan-bal force-pushed the defaults-in-get-config-for-client branch from b3de47d to 87016c7 Compare October 17, 2024 11:43
@codecov
Copy link
Copy Markdown

codecov Bot commented Oct 17, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.81%. Comparing base (c538c31) to head (0922abc).
Report is 28 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #7754      +/-   ##
==========================================
+ Coverage   79.70%   79.81%   +0.11%     
==========================================
  Files         365      365              
  Lines       36383    36394      +11     
==========================================
+ Hits        29000    29049      +49     
+ Misses       6183     6154      -29     
+ Partials     1200     1191       -9
Files with missing lines Coverage Δ
credentials/tls.go 86.57% <100.00%> (+1.06%) ⬆️

... and 17 files with indirect coverage changes

@arjan-bal arjan-bal added the Type: Behavior Change Behavior changes not categorized as bugs label Oct 17, 2024
gtcooke94
gtcooke94 reviewed Oct 17, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@gtcooke94 gtcooke94 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

cc: @matthewstevenson88

I think this is good, NewTLS should (generally) support the features of the tls.Config where we can and it makes sense. WDYT Matt?

I haven't done a pass on the test file yet, I'll go through that when we are sure we want to add this handling in general.

Comment thread credentials/tls.go Outdated
func NewTLS(c *tls.Config) TransportCredentials {
tc := &tlsCreds{credinternal.CloneTLSConfig(c)}
tc.config.NextProtos = credinternal.AppendH2ToNextProtos(tc.config.NextProtos)
cfg := applyDefaults(c)
Copy link
Copy Markdown
Contributor

@gtcooke94 gtcooke94 Oct 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't shorten names - cfg -> config

Copy link
Copy Markdown
Contributor Author

@arjan-bal arjan-bal Oct 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed as suggested.

Comment thread credentials/tls.go Outdated
return applyDefaults(cfgForClient), nil
}
}
tc := &tlsCreds{config: cfg}
Copy link
Copy Markdown
Contributor

@gtcooke94 gtcooke94 Oct 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit tc -> creds

Copy link
Copy Markdown
Contributor Author

@arjan-bal arjan-bal Oct 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed the temporary variable an inlined the return.

Comment thread credentials/tls.go
@gtcooke94
Copy link
Copy Markdown
Contributor

gtcooke94 commented Oct 17, 2024

Also, regarding the release notes, let's specify that this is specifically for NewTLS as well, the advancedtls way of configuring would not be affected by this. Suggested wording:

credentials: TLS credentials created via NewTLS that use tls.Config.GetConfigForClient will now have necessary gRPC-Go defaults, namely CipherSuites, supported TLS versions and ALPN configured automatically. This handling was already present for configs not using the GetConfigForClient function.

@arjan-bal
Copy link
Copy Markdown
Contributor Author

arjan-bal commented Oct 17, 2024

Also, regarding the release notes, let's specify that this is specifically for NewTLS as well, the advancedtls way of configuring would not be affected by this. Suggested wording:

credentials: TLS credentials created via NewTLS that use tls.Config.GetConfigForClient will now have necessary gRPC-Go defaults, namely CipherSuites, supported TLS versions and ALPN configured automatically. This handling was already present for configs not using the GetConfigForClient function.

Updated, thanks for the suggestion.

easwars
easwars approved these changes Oct 17, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@easwars easwars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Comment thread credentials/tls_ext_test.go Outdated
Comment thread credentials/tls_ext_test.go Outdated
Comment thread credentials/tls_ext_test.go Outdated
@easwars easwars assigned arjan-bal and unassigned easwars Oct 17, 2024
gtcooke94
gtcooke94 reviewed Oct 18, 2024
View reviewed changes
Comment thread credentials/tls_ext_test.go Outdated
gtcooke94
gtcooke94 approved these changes Oct 18, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@gtcooke94 gtcooke94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just that one test structure question, otherwise LGTM

dfawley
dfawley approved these changes Oct 18, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@dfawley dfawley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

@dfawley dfawley assigned arjan-bal and unassigned dfawley and gtcooke94 Oct 18, 2024
@arjan-bal arjan-bal merged commit 80937a9 into grpc:master Oct 22, 2024
1 check passed
@arjan-bal arjan-bal deleted the defaults-in-get-config-for-client branch October 22, 2024 17:28
@DmitriyMV DmitriyMV mentioned this pull request Oct 22, 2024
Closed
@arjan-bal arjan-bal added Area: Auth Includes regular credentials API and implementation. Also includes advancedtls, authz, rbac etc. and removed Area: Auth Includes regular credentials API and implementation. Also includes advancedtls, authz, rbac etc. labels Nov 6, 2024
purnesh42H pushed a commit to purnesh42H/grpc-go that referenced this pull request Nov 6, 2024
@arjan-bal @purnesh42H
credentials: Apply defaults to TLS configs provided through GetConfig…
bcfee8a 
…ForClient (grpc#7754)
@purnesh42H purnesh42H mentioned this pull request Nov 6, 2024
Merged
purnesh42H added a commit that referenced this pull request Nov 6, 2024
@purnesh42H
credentials: Apply defaults to TLS configs provided through GetConfig…
5363dca 
…ForClient (#7754) (#7813)
misvivek pushed a commit to misvivek/grpc-go that referenced this pull request Nov 7, 2024
@arjan-bal @misvivek
credentials: Apply defaults to TLS configs provided through GetConfig…
f3dcf12 
…ForClient (grpc#7754)
@tbg tbg mentioned this pull request Nov 27, 2024
Closed
16 tasks
@dfawley dfawley modified the milestones: 1.69 Release, 1.68 Release Dec 10, 2024
@antoninbas antoninbas mentioned this pull request May 16, 2025
Open
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Jun 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@gtcooke94 gtcooke94 gtcooke94 approved these changes

@easwars easwars easwars approved these changes

@dfawley dfawley dfawley approved these changes

Assignees

@arjan-bal arjan-bal

Labels

Type: Behavior Change Behavior changes not categorized as bugs Type: Feature New features or improvements in behavior

Projects

None yet

Milestone

1.68 Release

Development

Successfully merging this pull request may close these issues.

auto-set ALPN when using GetConfigForClient

5 participants

@arjan-bal @gtcooke94 @easwars @dfawley @matthewstevenson88