Consider enforcing ALPN negotiation #1042
Labels
kind/enhancement
Improvements to existing feature.
Comments
glbrntt
added a commit
to glbrntt/grpc-swift
that referenced
this issue
Nov 24, 2020
Motivation: To determine whether we're dealing with gRPC or gRPC Web (i.e. HTTP/2 or HTTP/1) the first bytes received on a new connection are parsed. When TLS is enabled and ALPN is supported there's no need to do this: we will be informed about the protocol we negotiated with our peer and therefore how to configure the channel. We also never enforced that the protocol negotiated via ALPN was used! Modifications: - Add a 'GRPCServerPipelineConfigurator' handler to supersede the 'HTTPProtocolSwitcher'. The new handler will use either ALPN and fall back to parsing the incoming bytes. - The parsing behavior is slightly different to that of 'HTTPProtocolSwitcher' in that we only read off enough bytes for the HTTP/2 connection preface, or enough bytes to parse an HTTP/1 request line (rather than reading the whole buffer as a string and processing that). - Added a server configuration option to disable ALPN being required. - Added tests. Result: - Server pipeline configuration is driven by ALPN, falling back to parsing. - ALPN is enforced on the server (partially resolving grpc#1042)
glbrntt
added a commit
to glbrntt/grpc-swift
that referenced
this issue
Nov 25, 2020
Motivation: To determine whether we're dealing with gRPC or gRPC Web (i.e. HTTP/2 or HTTP/1) the first bytes received on a new connection are parsed. When TLS is enabled and ALPN is supported there's no need to do this: we will be informed about the protocol we negotiated with our peer and therefore how to configure the channel. We also never enforced that the protocol negotiated via ALPN was used! Modifications: - Add a 'GRPCServerPipelineConfigurator' handler to supersede the 'HTTPProtocolSwitcher'. The new handler will use either ALPN and fall back to parsing the incoming bytes. - The parsing behavior is slightly different to that of 'HTTPProtocolSwitcher' in that we only read off enough bytes for the HTTP/2 connection preface, or enough bytes to parse an HTTP/1 request line (rather than reading the whole buffer as a string and processing that). - Added a server configuration option to disable ALPN being required. - Added tests. Result: - Server pipeline configuration is driven by ALPN, falling back to parsing. - ALPN is enforced on the server (partially resolving grpc#1042)
glbrntt
added a commit
that referenced
this issue
Nov 26, 2020
Motivation: To determine whether we're dealing with gRPC or gRPC Web (i.e. HTTP/2 or HTTP/1) the first bytes received on a new connection are parsed. When TLS is enabled and ALPN is supported there's no need to do this: we will be informed about the protocol we negotiated with our peer and therefore how to configure the channel. We also never enforced that the protocol negotiated via ALPN was used! Modifications: - Add a 'GRPCServerPipelineConfigurator' handler to supersede the 'HTTPProtocolSwitcher'. The new handler will use either ALPN and fall back to parsing the incoming bytes. - The parsing behavior is slightly different to that of 'HTTPProtocolSwitcher' in that we only read off enough bytes for the HTTP/2 connection preface, or enough bytes to parse an HTTP/1 request line (rather than reading the whole buffer as a string and processing that). - Added a server configuration option to disable ALPN being required. - Added tests. Result: - Server pipeline configuration is driven by ALPN, falling back to parsing. - ALPN is enforced on the server (partially resolving #1042)
|
Resolved by #1055 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now both the server and the client ignore the result of the ALPN negotiation. The client does log the outcome, but otherwise does nothing: the server largely ignores it and sniffs the initial content. This is likely suboptimal: the ALPN is normative and we should probably pay attention to it. In some cases we likely want to skip that, but we can make that configuration.
The text was updated successfully, but these errors were encountered: