New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support of Cipher Suite TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 #8610
Comments
Introducing a newer version of okhttp is not something we will do in the short term. Adding Cipher Suite TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 to the grpc-java forked version may only work on platforms with Android API level or JDK version high enough. @beatrausch would you like to send a PR? |
Yes, it should be added to our internal CipherSuite fork. And we should probably also enable it in our default connection spec. |
Hi, the PR should simply add Do you know a better source of cipher suite availability in certain java versions? Regards, |
CipherSuite doesn't actually use I think we would just care about the ciphers listed for HTTP/2 in Netty are included, as we'd like them to be in sync for our default: grpc-java/okhttp/src/main/java/io/grpc/okhttp/OkHttpChannelBuilder.java Lines 104 to 118 in d2b9151
So I'd imagine it'd be as simple as adding TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, and potentially the TLS 1.3 ciphers as well: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256. That should be pretty easy. |
Hi,
It seems that is related to the that issue: #7765. I' am running the tests with 1.8.0_292 |
Yeah, don't add the TLS 1.3 ciphers to the default connection spec. Doing that was just for if it was easy. But you can add a link to that issue as a comment in the code, and add a comment to that issue that it prevented us from adding the ciphers to okhttp's default connection spec. (Feel free to add the ciphers to the default connection spec, but commented out. But that's all just "nice to have" and nothing TLS 1.3 will be expected/required from your change.) |
Hi, right now I am testing the changes I made for TLS1.2 and TLS1.3 on Android.
I just thought it might be an server issue. But when I run a simple curl on linux the ALPN negotiation seems to work:
Any ideas? |
I will add the missing enums, but don't add them to the default connection spec in the OkhttpChannelBuilder
Yeah I will do so. |
Choosing the API to use when configuring ALPN is... complicated. If you didn't see that error before, but are now, that makes me question if something else changed in Conscrypt for TLS 1.3. This is the place to look:
|
…mentation for TLS1.3 prepared (#8650) This introduces new TLS 1.2 cipher suites (#8610) and prepares the internal okhttp implementation for TLS1.3. A new method for creating internal ConnectionSpec was added to be able to use the newly introduced cipher suites in the OkHttpChannelBuilder. Okhttp cipher suites synchronized with the ones from netty.
Fixed by #8650 |
Is your feature request related to a problem?
Grpc-java does not support Cipher Suite TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256. So far grpc-java is maintaining its own optimized version of okhttp, thus it is not possible to switch to a new okhttp version that supports newer cipher suites.
Describe the solution you'd like
Add Cipher Suite TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 to the grpc-java forked version of okhttp or introduce a newer version of okhttp.
Describe alternatives you've considered
So for I don’t see any alternative.
Additional context
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 is a hard requirement in my project. If this cipher suite is not supported I have to switch from grpc to a REST API which I really don’t like.
The text was updated successfully, but these errors were encountered: