Skip to content

xds: xDS based SNI setting and SAN validation #12378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 86 commits into from
Sep 29, 2025
Merged

xds: xDS based SNI setting and SAN validation #12378

merged 86 commits into from
Sep 29, 2025

Conversation

kannanjgithub
Copy link
Contributor

@kannanjgithub kannanjgithub commented Sep 24, 2025
edited
Loading

When using xDS credentials make SNI for the Tls handshake to be configured via xDS, rather than use the channel authority as the SNI, and make SAN validation to be able to use the SNI sent when so instructed via xDS.

Implements A101.

@kannanjgithub
Add Docker fiels for xds example server and client.
ed5072e
@kannanjgithub
Merge branch 'grpc:master' into master
c8be933
@kannanjgithub
Merge branch 'grpc:master' into master
63997fd
@kannanjgithub
Changes needed for System root certs to work. Commented out the chang…
6263cce 
…e for SNI in ProtocolNegotiators.java
@kannanjgithub
In-progress changes.
5e794bf
@kannanjgithub
Save changes.
30ffa7b
@kannanjgithub
Save changes.
42c9df0
@kannanjgithub
save changed
f12bc61
@kannanjgithub
Save changes.
e9c4e3c
@kannanjgithub
Save changes.
dd8fa02
@kannanjgithub
Save changes.
a371065
@kannanjgithub
XdsX509TrustManager changes for auto sni san validation.
a6f1bc9
@kannanjgithub
Fallback flag when no sni is available to send to specify to use xds …
a576df0 
…channel authority itself.
@kannanjgithub
Save changes
ce1f2d0
@kannanjgithub
Unit test for auto host sni hostname propagation to ClientSecurityHan…
5a4f758 
…der.
@kannanjgithub
Save changes.
4076998
@kannanjgithub
Save changes.
968d564
@kannanjgithub
Merge branch 'master' into systemrootcerts-ignore-trusted-root-updates
4cf653d
@kannanjgithub
Save changes.
6c1898a
@kannanjgithub
Save changes.
5be2aa2
@kannanjgithub
style
90abe55
@kannanjgithub
Add comment and rename some confusing method names.
4c44e4c
@kannanjgithub
Merge branch 'clientsidenormaltls-systemrootcert-handle' into systemr…
ae74a9e 
…ootcerts-ignore-trusted-root-updates
@kannanjgithub
style.
199cc69
@kannanjgithub
Handle Sslcontext updates for System root certs with and without Mtls.
37cd044
@kannanjgithub
Merge branch 'systemrootcerts-ignore-trusted-root-updates' into syste…
14a91e7 
…m-root-changes-needed

# Conflicts:
#	xds/src/main/java/io/grpc/xds/internal/security/SslContextProviderSupplier.java
#	xds/src/test/java/io/grpc/xds/CdsLoadBalancer2Test.java
#	xds/src/test/java/io/grpc/xds/internal/security/SslContextProviderSupplierTest.java
#	xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java
@kannanjgithub
Merge fixes
6958b4e
@kannanjgithub
Style changes.
139805e
@kannanjgithub
Fix some mistakes in code.
4417fcc
@kannanjgithub
Remove special-casing for System root certs in SslContextProviderSupp…
7f48afa 
…lier and handle it in
@kannanjgithub
Copy link
Contributor Author

I have done the changes discussed, but am yet to fix tests including compilation errors in a few of them.

ejona86
ejona86 reviewed Sep 25, 2025
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

About to get on a call, so sending what I have. This looks a lot better; I don't really have any reservations from what I've seen.

netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java
HostPort hostPort = parseAuthority(authority);
this.host = hostPort.host;
this.port = hostPort.port;
// TODO: For empty authority and fallback flag
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Half-baked thought (I haven't double checked with the expected behavior): it seems we should just pass sni = null here instead of empty string when GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLE is set. If the XDS config is saying to validate the SAN from the SNI and it also dosen't have a hostname, then that's a rather minor case that might pass when it should fail.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could either pass empty SNI here and change it to null when fallback flag is set (which is what I was going to do), or we could do that in the calling site at ClientTlsProtocolNegotiator itself and pass a null SNI in that case. The bigger question is at the time of SAN validation do we get the xDS channel authority from the SsllParameters.getServerNames(), and if so we should not use it for the SAN validation, and that would require setting some state in the XdsX509TrustManager.

ejona86
ejona86 approved these changes Sep 25, 2025
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving ATTR_ADDRESS_NAME out of InternalXdsAttributes looks to be main thing. Everything else is small.

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java

private List<StringMatcher> getAutoSniSanMatchers(SSLParameters sslParams) {
List<StringMatcher> sniNamesToMatch = new ArrayList<>();
if (CertificateUtils.isXdsSniEnabled && autoSniSanValidation) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: we strongly want to avoid checks like this deep in the code. It is very easy to miss a spot and generally wrong because verification checks should be impacted (e.g., XdsClusterResource.validateUpstreamTlsContext()). Instead, we'd want to handle this when parsing (XdsClusterResource) and then force autoSniSanValidation = false when CertificateUtils.isXdsSniEnabled == false.

Given this code is already failing to copy into our own data structures, it is sort of annoying to fix here. But keep it in mind in general.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Acknowledged.

@kannanjgithub kannanjgithub merged commit 0567531 into grpc:master Sep 29, 2025
20 of 23 checks passed
@kannanjgithub kannanjgithub deleted the sni-san-changes branch September 29, 2025 16:22
shivaspeaks
shivaspeaks reviewed Oct 2, 2025
View reviewed changes
netty/src/main/java/io/grpc/netty/InternalProtocolNegotiators.java
*/
public static InternalProtocolNegotiator.ProtocolNegotiator tls(SslContext sslContext) {
return tls(sslContext, null, Optional.absent());
public static InternalProtocolNegotiator.ProtocolNegotiator tls(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this not an api breaking change? Should we do function overloading here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ejona86 ejona86 ejona86 approved these changes

@shivaspeaks shivaspeaks shivaspeaks left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kannanjgithub @ejona86 @shivaspeaks