Do you happen to be using Conscrypt JSSE provider? We allow TLS 1.3 for IBM
and ALPN JSSE providers but not for Conscrypt
<https://github.com/grpc/grpc-java/blob/1c430989902856e609ddbff203be1dc4c412ff43/netty/src/main/java/io/grpc/netty/GrpcSslContexts.java#L211>,
for which we hard code it to TLS1.2. There is an open issue
<https://github.com/grpc/grpc-java/issues/7765> for this.
On Wednesday, June 11, 2025 at 9:12:26 AM UTC+5:30 ganesh.umapathy
ganesh.umapathy wrote:
> Can anyone pls check this and help us?
>
> On Tuesday, 10 June 2025 at 09:58:43 UTC+5:30 ganesh.umapathy
> ganesh.umapathy wrote:
>
>> Can anyone pls check and reply on this?
>>
>> On Saturday, 7 June 2025 at 19:41:11 UTC+5:30 ganesh.umapathy
>> ganesh.umapathy wrote:
>>
>>> I am using NettyChannelBuilder in grpc client and NettyServerBuilder in
>>> grpc server.
>>>
>>> I have created NettyServerBuilder with sslcontext with TLS1.3 and
>>> started the server as below
>>> import io.grpc.ServerCredentials;
>>> import io.grpc.TlsServerCredentials;
>>> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
>>> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
>>> import io.grpc.util.AdvancedTlsX509TrustManager;
>>> import io.grpc.Server;
>>> import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
>>> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
>>> import io.grpc.stub.StreamObserver;
>>>
>>> private Server myServer;
>>> CertificateData grpcCertificateData =
>>> CertificateData.SERVER_CERT;
>>> try {
>>> KeyManager serverKeyManager =
>>> myCertificateHandlerService.getServerKeyManagers(grpcCertificateData.getServiceGroup())[0];
>>> LOG.info("Retrieved key manager: {}", serverKeyManager);
>>>
>>> X509TrustManager trustManager =
>>> (X509TrustManager)
>>> myCertificateHandlerService.getServerTrustManagers(grpcCertificateData.getServiceGroup())[0];
>>> X509Certificate[] acceptedIssuers =
>>> trustManager.getAcceptedIssuers();
>>> LOG.info("Retrieved CA certificates: {}", acceptedIssuers);
>>>
>>> SslContextBuilder builder =
>>> SslContextBuilder.forServer(serverKeyManager)
>>> .trustManager(trustManager)
>>> .clientAuth(ClientAuth.REQUIRE)
>>> .ciphers(CIPHER_SUITES_SUPPORTED)
>>> .protocols(TLS_VERSION_1_3); // Explicitly set
>>> TLSv1.3
>>> .sslProvider(SslProvider.JDK);
>>>
>>> NettyServerBuilder.forPort(PORT)
>>>
>>> .sslContext(GrpcSslContexts.configure(builder).build())
>>> .addService(new LoadReportingRpcService());
>>> myServer = serverBuilder.directExecutor().build();
>>> myServer.start();
>>>
>>> }
>>> catch (Exception e) {
>>> LimitedLogger.logOrSuppressError(LOG, LOG_MESSAGE_DATA,
>>> "Failed to build SSL context {}", e);
>>> }
>>>
>>>
>>>
>>>
>>>
>>> Also I have created NettyChannelBuilder with sslContext with TLS1.3 and
>>> invoked rpc method in grpc server as below
>>>
>>> import io.grpc.LoadBalancerRegistry;
>>> import io.grpc.ManagedChannel;
>>> import io.grpc.ManagedChannelBuilder;
>>> import io.grpc.NameResolverRegistry;
>>> import io.grpc.StatusRuntimeException;
>>> import io.grpc.internal.DnsNameResolverProvider;
>>> import io.grpc.internal.PickFirstLoadBalancerProvider;
>>> import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
>>> import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
>>> import io.grpc.stub.StreamObserver;
>>>
>>>
>>> String serviceGroup = CertificateData.CERT_CLIENT.getServiceGroup();
>>> try
>>> {
>>> TrustManager[] caTrustManagers =
>>> myCertificateHandlerService.getServerTrustManagers(serviceGroup);
>>> KeyManager[] clientKeyManagers =
>>> myCertificateHandlerService.getClientKeyManagers(serviceGroup);
>>> if (caTrustManagers == null || clientKeyManagers == null)
>>> {
>>> LOG.error("NN Failed to retrieve PKI components. Server
>>> trust manager was {}, client key manager was {}, for service group {}",
>>> caTrustManagers,
>>> clientKeyManagers,
>>> serviceGroup);
>>> }
>>> else
>>> {
>>> LOG.error("NN Configure TLS1.3 client");
>>> X509TrustManager caTrustManager = (X509TrustManager)
>>> caTrustManagers[0];
>>> KeyManager keyManager = clientKeyManagers[0];
>>> SslContextBuilder sslContextBuilder =
>>> SslContextBuilder.forClient()
>>> .trustManager(caTrustManager)
>>> .keyManager(keyManager)
>>> .protocols(TLS_VERSION_1_3);
>>> .sslProvider(SslProvider.JDK)
>>> .ciphers(CIPHER_SUITES_SUPPORTED);
>>> ManagedChannelBuilder<?> channelBuilder =
>>> NettyChannelBuilder.forAddress(target, GRPC_PORT);
>>> channelBuilder.directExecutor();
>>> LOG.error("NN tls enabled {}", isTlsEnabled());
>>> if (isTlsEnabled())
>>> {
>>> LOG.error("NN tls enabled and start secure grpc
>>> client");
>>> ((NettyChannelBuilder)
>>> channelBuilder).sslContext(GrpcSslContexts.configure(sslContextBuilder).build())).useTransportSecurity();
>>> }
>>> foundChannel = channelBuilder.build();
>>> ReportingServiceGrpc.ReportingServiceStub stub =
>>> ReportingServiceGrpc.newStub(foundChannel);
>>> stub.invokeRpcMethod();
>>> }
>>> }
>>> catch (Exception e)
>>> {
>>> LOG.error("Failed to create ssl context for {}",
>>> serviceGroup, e);
>>> }
>>>
>>>
>>> I
>>>
>>>
>>> I was using below TLS1.3 ciphers in both server and client
>>> private static final Iterable<String> CIPHER_SUITES_SUPPORTED =
>>> Arrays.asList("TLS_AES_256_GCM_SHA384",
>>> "TLS_AES_128_GCM_SHA256",
>>> "TLS_CHACHA20_POLY1305_SHA256");
>>>
>>>
>>> But observed that TLS1.2 connection is established always from client to
>>> server communication. Here i have configured with TLS1.3 in sslcontext in
>>> both client and server and i am using java 11. It should establish TLS1.3
>>> right?
>>>
>>> is it a bug in GRPC? Otherwise please clarify me with the solution
>>> with what am i missing ?
>>
>>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/grpc-io/aa439f1e-6e50-479b-83b4-8169c350043an%40googlegroups.com.
