xds: Add SNI related field in handshake info#8965

Open

eshitachandwani wants to merge 6 commits intogrpc:masterfrom

eshitachandwani:add_field_in_handshake_info

Member

eshitachandwani commented Mar 9, 2026 •

edited

Loading

This PR is part of A101 implementation.

This PR does the following changes:

Add sni and autoSniSanValidation field to handshake info.
Change the TLS config building to add SNI if env variable is true (currently false by default so will not be set), and sni is present (currently set as empty in handshake so will not be set).
Change verify function to match SANs against SNI if set and env variable and autoSniSanValidation is true (currently set to false by default).
Set sni to empty and autoSniSanValidation to false by default when creating handshake info in clusterimpl
Adds tests to verify the happy and failure cases of handshake.

In the next PR :

Will decide between hostname and SNI from CDS update in clusterimpl balancer.
Add end to end tests to verify the SNI flow.

RELEASE NOTES: None

eshitachandwani added 2 commits

March 9, 2026 13:26


          add fields to handshake info

da9d9b3


          merge master

deba71a

eshitachandwani added this to the 1.81 Release milestone

eshitachandwani added Type: Feature Area: xDS labels

codecov bot commented Mar 9, 2026 •

edited

Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.10%. Comparing base (fd53961) to head (7f99e03).
⚠️ Report is 9 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8965      +/-   ##
==========================================
- Coverage   83.26%   83.10%   -0.16%     
==========================================
  Files         410      411       +1     
  Lines       32576    32744     +168     
==========================================
+ Hits        27123    27213      +90     
- Misses       4062     4151      +89     
+ Partials     1391     1380      -11

Files with missing lines	Coverage Δ
internal/credentials/xds/handshake_info.go	`93.71% <100.00%> (+0.46%)`	⬆️
internal/xds/balancer/clusterimpl/clusterimpl.go	`86.34% <100.00%> (-1.48%)`	⬇️
internal/xds/server/conn_wrapper.go	`76.27% <100.00%> (ø)`

... and 34 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

eshitachandwani requested a review from Pranjali-2501

March 9, 2026 08:24

eshitachandwani assigned Pranjali-2501

eshitachandwani requested a review from arjan-bal

March 9, 2026 08:25

eshitachandwani added 2 commits

March 12, 2026 10:20


          merge master

31b4ed2

fix

d42b8ab

easwars self-assigned this

Contributor

easwars commented Mar 17, 2026

Change the environment variable to true

We probably don't want to do that until interop tests pass.

easwars reviewed

View reviewed changes

internal/credentials/xds/handshake_info.go Outdated

+              	sanMatchers          []matcher.StringMatcher // Only on the client side.
+              	requireClientCert    bool                    // Only on server side.
+              	sni                  string                  // Only on client side, used for Server Name Indication in TLS handshake.
+              	autoSniSanValidation bool                    // Only on client side, indicates whether to perform validation of SANs based on SNI value.

Contributor

easwars Mar 17, 2026

Nit: In autoSniSanValidation, the Sni and San need to all caps. But that will make the field name be autoSNISANValidation which is not very readable. So, I think you need to get a little creative here.

Maybe sanValidationUsingSNI or something better?

Member Author

eshitachandwani Mar 18, 2026

Changed to validateSANUsingSNI. Let me know if this sounds good.

internal/credentials/xds/handshake_info.go Outdated

               // NewHandshakeInfo returns a new handshake info configured with the provided
               // options.
-              func NewHandshakeInfo(rootProvider certprovider.Provider, identityProvider certprovider.Provider, sanMatchers []matcher.StringMatcher, requireClientCert bool) *HandshakeInfo {
+              func NewHandshakeInfo(rootProvider certprovider.Provider, identityProvider certprovider.Provider, sanMatchers []matcher.StringMatcher, requireClientCert bool, sni string, autoSniSanValidation bool) *HandshakeInfo {

Contributor

easwars Mar 17, 2026

Same here with the autoSniSanValidation parameter?

Member Author

eshitachandwani Mar 18, 2026

Done.

internal/credentials/xds/handshake_info.go Outdated

+              			}
+              			return fmt.Errorf("xds: received DNS SANs: %v do not match the SNI: %v", certs[0].DNSNames, hi.sni)
+              		}
               		// The SANs sent by the MeshCA are encoded as SPIFFE IDs. We need to

Contributor

easwars Mar 17, 2026

Nit: While you are here, could you please remove mentions of MeshCA. That is not something that we use anymore. The SANs are sent to us by the xDS control plane.

Member Author

eshitachandwani Mar 18, 2026

Changed the comment to say that.

internal/credentials/xds/handshake_info.go

+              					return nil
+              				}
+              			}
+              			return fmt.Errorf("xds: received DNS SANs: %v do not match the SNI: %v", certs[0].DNSNames, hi.sni)

Contributor

easwars Mar 17, 2026

Please ensure that these %vs actually are readable in the error message.

Member Author

eshitachandwani Mar 18, 2026

verified that it is readable

internal/credentials/xds/handshake_info.go Outdated

               		if _, err := certs[0].Verify(opts); err != nil {
               			return err
               		}
+              		if envconfig.XDSSNIEnabled && hi.autoSniSanValidation && hi.sni != "" {

Contributor

easwars Mar 17, 2026

This is the sentence from the gRFC:

Server SAN validation against SNI used: If auto_sni_san_validation is true in the UpstreamTlsContext gRPC client will perform matching for a SAN against the SNI used for the handshake if any. If auto_sni_san_validation is true but no SNI was sent, then validation will use any SAN matchers specified in the validation context instead. While XdsChannelCredentials without auto_sni_san_validation performs matching using any of DNS / URI / IPA SAN matchers specified in the validation context, when auto_sni_san_validation is set, validation will be performed using exact DNS matcher.

Based on the above, it is not clear to me whether we should perform matching against any of DNS/URI/IP SAN matchers specified in the validation context or should the validation be performed against exact DNS matcher, when auto_sni_san_validation is true but no SNI was sent.

Could you please confirm what other implementations do?

Member Author

eshitachandwani Mar 18, 2026

From my discussion with Kannan , we should fallback to the matchers provided and continue doing what was being done earlier, and so does Envoy as mentioned here in chat

credentials/xds/xds_client_test.go Outdated

Comment on lines +509 to +510

		autoSniSanValidation bool
		enableSniFlag bool

Contributor

easwars Mar 17, 2026

Nit: Go initialisms here as well.

Member Author

eshitachandwani Mar 18, 2026

Done.

easwars assigned eshitachandwani and unassigned easwars

Member Author

eshitachandwani commented Mar 18, 2026

Change the environment variable to true

We probably don't want to do that until interop tests pass.

Got it! Changed the description too.


          review comment

272f42e

eshitachandwani requested a review from easwars

March 18, 2026 06:24

eshitachandwani assigned easwars and unassigned eshitachandwani

vet

7f99e03

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Area: xDS Type: Feature