To fix the TLS handshaking problem, you can use XdsChannelCredentials which lets the xds server control the TLS configuration and hostname verification. The grpc-java xDS example demonstrates this when using --xds-creds <https://github.com/grpc/grpc-java/tree/master/examples/example-xds#run-the-example-with-xds-credentials>. Using XdsChannelCredentials is required, as it provides an opt-in to trusting the xds server as root. The xds server can impersonate services and break security boundaries, but for many users this is acceptable and necessary. gRFC A29 xDS-Based Security <https://github.com/grpc/proposal/blob/master/A29-xds-tls-security.md> covers the details here if you end up needing to change the xds configuration delivered to the client.
Since you mentioned reverse proxies, I'll note that there is a related gRFC A81 xDS Authority Rewriting <https://github.com/grpc/proposal/blob/master/A81-xds-authority-rewriting.md> that's being implemented. Without overrideAuthority(), the Host/:authority header sent to your Envoy cluster will be derived from `target`. This feature allows the Host/:authority header to be rewritten to a value expected by the server. On Fri, Dec 13, 2024 at 1:10 PM David Vilaverde <dvilave...@gmail.com> wrote: > I'm using the grpc-java client 1.69.0 with a XDS server to connect to a > server that is behind another envoy cluster. The URL for the service is TLS > and when I run my client, configured like this: > > channelBuilder = Grpc.newChannelBuilder(target, > TlsChannelCredentials.create()); > // needed otherwise the TLS handshake will fail, I'm assuming > // due to invalid SNI name not set for TLS handskake > // > // channelBuilder.overrideAuthority(SERVICE_URL); > blockingStub = GeoLookupGrpc.newBlockingStub(channelBuilder.build()); > > If I uncomment out the call to overrideAuthority() which has the FQDN of > the TLS certificate for the GRPC service behind envoy then the call will > work as expected. > > Is there a way around this so the client doesn't need to know this > information and everything can be provided to the client via XDS? > > Thanks > Dave > > -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to grpc-io+unsubscr...@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/grpc-io/83dd73e1-5521-49bb-9803-c7304c1fcb99n%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/83dd73e1-5521-49bb-9803-c7304c1fcb99n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oPEFnsWT987jPhnWVLgbk8YjA%2Bkaw0%3DRcPHW4O7s6Bkpg%40mail.gmail.com.
smime.p7s
Description: S/MIME Cryptographic Signature
