Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Is there a way to configure NettyServerBuilder with SniHandler?

See original GitHub issue

Is it possible to configure io.grpc.netty.NettyServerBuilder with io.netty.handler.ssl.SniHandler for Server Name Indication capabilities of a gRPC server?

I would like to use SNI to switch the server certificates used based on the host name.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:19 (7 by maintainers)

github_iconTop GitHub Comments

2reactions
ejona86commented, Oct 31, 2020

The client side SslContext would have an SSLEngine configured with the SSLParameters.setServerNames(SNIHostName) that would be sent to the server.

That’s already handled. Lots of modern Internet infrastructure would break without the client providing SNI.

I think the current conclusion is that grpc-netty does not support SNI at all since it is not possible to configure multiple aliases.

I’d accept “it is a huge pain to configure multiple aliases,” but it is possible. The alias lookup is part of the KeyManager, so you can totally return them. Java’s keytool can be used to create a keystore with multiple aliases, either JKS or PKCS12.

After poking around a bit, it looks like this actually works out-of-the-box (in the Java sense, not gRPC), where you don’t need to write any SNI lookup code, as long as you have multiple entries in your keystore. Java’s “New” X509KeyManager searches through all the aliases looking for a certificate that matches the SNI name. You just have to make sure to use the newer X509 key manager and not the older SunX509 key manager.

To make the keystore, I used openssl to create p12 files of the cert+key. Then I used keytool to combine them into a single file. (I used “changeit” as all my passwords)

openssl pkcs12 -export -out server0.p12 -inkey server0.key -in server0.pem
openssl pkcs12 -export -out server1.p12 -inkey server1.key -in server1.pem
keytool -importkeystore -srckeystore server0.p12 -destkeystore server.p12 -deststoretype pkcs12
keytool -importkeystore -srckeystore server1.p12 -destkeystore server.p12
# type "no"
# type any name

And then to create the Netty SslContext:

KeyStore store = KeyStore.getInstance("PKCS12");
store.load(TestUtils.class.getResourceAsStream("/certs/server.p12"),
    "changeit".toCharArray());
KeyManagerFactory factory = KeyManagerFactory.getInstance("NewSunX509");
factory.init(store, "changeit".toCharArray());
sslContext =
    GrpcSslContexts.configure(SslContextBuilder.forServer(factory))
        .build();

It is possible to build the KeyStore at runtime, but converting a file-based private key to the Java PrivateKey class is needlessly annoying. Normally Netty’s utilities do that for you, but that’s not available here to my knowledge.

1reaction
ejona86commented, Nov 2, 2020

My understanding is that the client side still needs an SSLEngine configured with SSLParameters.setServerNames(SNIHostName) which I need to ensure is set by this point.

SNI is already handled. I think via passing “host” to newEngine(). In any case, lots of stuff would break if it was broken, and I did actually test that code snippet with an unmodified client and the client-provided hostname did change the certificate returned. I also saw the SNI name show up in Wireguard.

So there should be no need to change anything on client-side.

Read more comments on GitHub >

github_iconTop Results From Across the Web

NettyServerBuilder (grpc-all 1.51.0 API)
Creates a server builder configured with the given SocketAddress . Parameters: address - the socket address on which the server is to be...
Read more >
Example usage for io.netty.handler.ssl SniHandler SniHandler
In this page you can find the example usage for io.netty.handler.ssl SniHandler SniHandler. Prototype. @SuppressWarnings("unchecked") public SniHandler( ...
Read more >
io.grpc.netty.NettyServerBuilder.fallbackHandlerRegistry java ...
How to use. fallbackHandlerRegistry ... Best Java code snippets using io.grpc.netty. ... Before the test has started, create the server and channel.
Read more >
io.netty.handler.ssl.SniHandler Maven / Gradle / Ivy
The class is part of the package ➦ Group: io.netty ➦ Artifact: netty-handler ... Creates a SNI detection handler with configured {@link SslContext} ......
Read more >
How to instantiate a grpc server using ssl in java using java ...
I would advice to use NettyServerBuilder which is capable of ... GrpcSslContexts.configure(sslContextBuilder).build(); Server server ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

De I need to shutdown and re-create a ManagedChannel.shutdown() for recovery from StreamObserver.onError()

Next page

gRPC Netty with TLS failing on Android API < 24