ok-http: Per-rpc call option authority verification #11754
Conversation
…orityverifyokhttp
| @Override | ||
| public SSLParameters getSSLParameters() { | ||
| SSLParameters sslParameters = sslSocket.getSSLParameters(); | ||
| sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); |
There was a problem hiding this comment.
The endpointIdentificationAlgorithm in sslParameters of the real sslSocket is null. In the case of Netty we are setting it here
for the handshake but not for Okhttp.There was a problem hiding this comment.
But changing here isn't actually changing it for the connection. I think we're generally depending on the HostnameVerifier instead. setEndpointIdentificationAlgorithm() was added in Android API level 24. We're claiming to support API level 21 (although we should change that to 23)
I'm really bothered by the lack of failure building this. AnimalSniffer missed some things at times, but it seems to be completely broken right now. Running with --console=plain I see animalsnifferMain is SKIPPED. Digging deeper, it seems we're missing @signature in the version so it hasn't been running.
There was a problem hiding this comment.
But the setting endpoint algorithm in the wrapper SslSocket was for causing the hostname check to occur when we do the per rpc check using the X509ExrendedTrustManager. Do we not want that to happen?
There was a problem hiding this comment.
As long as we don't have a minimum API level of 24 we can't check authority using X509ExtendedTrustManager. Should we then remove these changes and use only HostnameVerifier, and disallow per rpc authority override if one is not provided?
There was a problem hiding this comment.
Discussed offline and understood we let the same checks during handshake apply during RPC and removed calling setEndpointIdentificationAlgorithm.
…oved setting sslEndpointAlgorithm.
This reverts commit f5b3614.
|
Yet to make the changes to use X509ExtendedTrustManager only via reflection if it is available in the class loader. |
Done. |
|
Moved the authority verification from OkHttpClientTransport.newStream down to the point just before sending the headers over the network so any overwrites to the authority gets seen. |
examples/build.gradle
Outdated
| @@ -45,7 +45,7 @@ dependencies { | |||
| protobuf { | |||
| protoc { artifact = "com.google.protobuf:protoc:${protocVersion}" } | |||
| plugins { | |||
| grpc { artifact = "io.grpc:protoc-gen-grpc-java:${grpcVersion}" } | |||
| grpc { artifact = "io.grpc:protoc-gen-grpc-java:1.70.0" } | |||
| @@ -23,6 +23,7 @@ | |||
| import io.grpc.examples.helloworld.GreeterGrpc; | |||
| import io.grpc.examples.helloworld.HelloReply; | |||
| import io.grpc.examples.helloworld.HelloRequest; | |||
| import io.grpc.stub.ServerCallStreamObserver; | |||
| throws GeneralSecurityException { | ||
| InputStream rootCertsStream = new ByteArrayInputStream(rootCerts); | ||
| try { | ||
| return io.grpc.internal.CertificateUtils.createTrustManager(rootCertsStream); |
There was a problem hiding this comment.
Delete io.grpc.internal.CertificateUtils.
| @@ -389,13 +442,14 @@ public void ping(final PingCallback callback, Executor executor) { | |||
| } | |||
|
|
|||
| @Override | |||
| public OkHttpClientStream newStream( | |||
| public ClientStream newStream( | |||
| if (tlsCreds.getTrustManagers() != null) { | ||
| tm = tlsCreds.getTrustManagers().toArray(new TrustManager[0]); | ||
| } else if (tlsCreds.getRootCertificates() != null) { | ||
| tm = CertificateUtils.createTrustManager(tlsCreds.getRootCertificates()); |
There was a problem hiding this comment.
We don't want to create a trust manager each RPC.
| if (hostnameVerifier != null | ||
| && socket instanceof SSLSocket | ||
| && !hostnameVerifier.verify(authority, | ||
| ((SSLSocket) socket).getSession())) { |
There was a problem hiding this comment.
Unwrap this line. It shouldn't be at the same indentation level as the previous line, because the verify() method has wrapped, but it didn't need to be wrapped anyway.
| if (goAwayStatus != null) { | ||
| clientStream.transportState().transportReportStatus( | ||
| goAwayStatus, RpcProgress.MISCARRIED, true, new Metadata()); | ||
| } else if (streams.size() >= maxConcurrentStreams) { | ||
| pendingStreams.add(clientStream); | ||
| setInUse(clientStream); | ||
| } else { | ||
| if (hostnameVerifier != null | ||
| && socket instanceof SSLSocket | ||
| && !hostnameVerifier.verify(authority, |
There was a problem hiding this comment.
We don't want to do hostname verification each RPC. This should be part of the peerVerificationResults cache.
# Conflicts: # core/src/main/java/io/grpc/internal/CertificateUtils.java # okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java
No description provided.