From 70f19eecd168b0ea1f15e991170576bf36f74b40 Mon Sep 17 00:00:00 2001 From: Arjan Singh Bal <46515553+arjan-bal@users.noreply.github.com> Date: Wed, 4 Sep 2024 16:54:56 +0530 Subject: [PATCH] credentials/tls: default GRPC_ENFORCE_ALPN_ENABLED to true (#7535) --- credentials/credentials_test.go | 10 ++++++++-- credentials/xds/xds_client_test.go | 5 ++++- credentials/xds/xds_server_test.go | 1 + internal/envconfig/envconfig.go | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/credentials/credentials_test.go b/credentials/credentials_test.go index 08eb9c430ffc..8dc30ad7b704 100644 --- a/credentials/credentials_test.go +++ b/credentials/credentials_test.go @@ -297,7 +297,10 @@ func tlsServerHandshake(conn net.Conn) (AuthInfo, error) { if err != nil { return nil, err } - serverTLSConfig := &tls.Config{Certificates: []tls.Certificate{cert}} + serverTLSConfig := &tls.Config{ + Certificates: []tls.Certificate{cert}, + NextProtos: []string{"h2"}, + } serverConn := tls.Server(conn, serverTLSConfig) err = serverConn.Handshake() if err != nil { @@ -307,7 +310,10 @@ func tlsServerHandshake(conn net.Conn) (AuthInfo, error) { } func tlsClientHandshake(conn net.Conn, _ string) (AuthInfo, error) { - clientTLSConfig := &tls.Config{InsecureSkipVerify: true} + clientTLSConfig := &tls.Config{ + InsecureSkipVerify: true, // NOLINT + NextProtos: []string{"h2"}, + } clientConn := tls.Client(conn, clientTLSConfig) if err := clientConn.Handshake(); err != nil { return nil, err diff --git a/credentials/xds/xds_client_test.go b/credentials/xds/xds_client_test.go index ff4fcf94dafe..0cf8b3fbcbca 100644 --- a/credentials/xds/xds_client_test.go +++ b/credentials/xds/xds_client_test.go @@ -146,7 +146,10 @@ func testServerTLSHandshake(rawConn net.Conn) handshakeResult { if err != nil { return handshakeResult{err: err} } - cfg := &tls.Config{Certificates: []tls.Certificate{cert}} + cfg := &tls.Config{ + Certificates: []tls.Certificate{cert}, + NextProtos: []string{"h2"}, + } conn := tls.Server(rawConn, cfg) if err := conn.Handshake(); err != nil { return handshakeResult{err: err} diff --git a/credentials/xds/xds_server_test.go b/credentials/xds/xds_server_test.go index dd3d83aab899..4547cf33b3d3 100644 --- a/credentials/xds/xds_server_test.go +++ b/credentials/xds/xds_server_test.go @@ -66,6 +66,7 @@ func makeClientTLSConfig(t *testing.T, mTLS bool) *tls.Config { // verification function. So, the server credentials tests will rely // solely on the success/failure of the server-side handshake. InsecureSkipVerify: true, + NextProtos: []string{"h2"}, } } diff --git a/internal/envconfig/envconfig.go b/internal/envconfig/envconfig.go index 00abc7c2beb0..452985f8d8f1 100644 --- a/internal/envconfig/envconfig.go +++ b/internal/envconfig/envconfig.go @@ -45,7 +45,7 @@ var ( // option is present for backward compatibility. This option may be overridden // by setting the environment variable "GRPC_ENFORCE_ALPN_ENABLED" to "true" // or "false". - EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", false) + EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", true) // XDSFallbackSupport is the env variable that controls whether support for // xDS fallback is turned on. If this is unset or is false, only the first // xDS server in the list of server configs will be used.