Re: [grpc-io] extracting master-key for wireshark using JsseProvider

Mon, 29 Aug 2022 09:39:43 -0700 

On Fri, Aug 26, 2022 at 6:00 AM Elhanan Maayan <elh.maa...@gmail.com> wrote:

> if i understand correctly if i wish to extract the master key for
> wireshark sniffing
> i need to use this:
> GrpcSslContexts.configure(sslContextBuilder, Security.getProvider
> ("SunJSSE"));
>

FYI, there was a PR <https://github.com/grpc/grpc-java/pull/7724> to
support master key logging for other providers, but it was reverted
<https://github.com/grpc/grpc-java/pull/7792>.

are there any major differences between using the default provider  vs
> using SunJSSE?
> performance? security ?
> is there a way to configure the provider externally via system property?
>

The default provider isn't a java.security.Provider. The default is a
SslProvider enum value (a configure() overload
<https://grpc.github.io/grpc-java/javadoc/io/grpc/netty/GrpcSslContexts.html#configure-io.netty.handler.ssl.SslContextBuilder-io.netty.handler.ssl.SslProvider->)
of OPENSSL
<https://netty.io/4.1/api/io/netty/handler/ssl/SslProvider.html#OPENSSL>.
It uses netty-tcnative which can use openssl, boringssl, and libressl. The
build we recommend is boringssl-based (and this is included in
grpc-netty-shaded). So the implementation is quite different. However, for
users on Java 11+, using SunJSSE should be fine. SunJSSE was unusable in
Java 7 and had poor AES GCM performance in Java 8. I suspect Java 11
performance is close enough that many users wouldn't notice a difference.

You can use `-Dio.netty.transport.noNative=true` or
`-Dio.grpc.netty.shaded.io.netty.transport.noNative=true` to disable
loading tcnative, depending on whether you are using grpc-netty or
grpc-netty-shaded, respectively.

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oMLdwMdSJfiK%2BKMEagPnnGuPGeELvA9_ZJT0STdr6m4QQ%40mail.gmail.com.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to